Configure Windows Event collection

Microsoft Defender for Identity detection relies on specific Windows Event log entries to enhance some detections and provide additional information on who performed specific actions such as NTLM logons, security group modifications, and similar events. For the correct events to be audited and included in the Windows Event Log, your domain controllers require accurate Advanced Audit Policy settings. Incorrect Advanced Audit Policy settings can lead to the required events not being recorded in the Event Log and result in incomplete Defender for Identity coverage.

To enhance threat detection capabilities, Defender for Identity needs the following Windows Events to be configured and collected by Defender for Identity:

Relevant Windows Events

For Active Directory Federation Services (AD FS) events

  • 1202 - The Federation Service validated a new credential
  • 1203 - The Federation Service failed to validate a new credential
  • 4624 - An account was successfully logged on
  • 4625 - An account failed to log on

For other events

  • 1644 - LDAP search
  • 4662 - An operation was performed on an object
  • 4726 - User Account Deleted
  • 4728 - Member Added to Global Security Group
  • 4729 - Member Removed from Global Security Group
  • 4730 - Global Security Group Deleted
  • 4732 - Member Added to Local Security Group
  • 4733 - Member Removed from Local Security Group
  • 4741 - Computer Account Added
  • 4743 - Computer Account Deleted
  • 4753 - Global Distribution Group Deleted
  • 4756 - Member Added to Universal Security Group
  • 4757 - Member Removed from Universal Security Group
  • 4758 - Universal Security Group Deleted
  • 4763 - Universal Distribution Group Deleted
  • 4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
  • 7045 - New Service Installed
  • 8004 - NTLM Authentication

Configure audit policies

Modify the Advanced Audit Policies of your domain controller using the following instructions:

  1. Log in to the server as Domain Administrator.

  2. Open the Group Policy Management Editor from Server Manager > Tools > Group Policy Management.

  3. Expand the Domain Controllers Organizational Units, right-click Default Domain Controllers Policy, and then select Edit.

    Note

    You can use the Default Domain Controllers Policy or a dedicated GPO to set these policies.

    Edit domain controller policy.

  4. From the window that opens, go to Computer Configuration > Policies > Windows Settings > Security Settings and depending on the policy you want to enable, do the following:

    For Advanced Audit Policy Configuration

    1. Go to Advanced Audit Policy Configuration > Audit Policies. Advanced Audit Policy Configuration.

    2. Under Audit Policies, edit each of the following policies and select Configure the following audit events for both Success and Failure events.

      Audit policy Subcategory Triggers event IDs
      Account Logon Audit Credential Validation 4776
      Account Management Audit Computer Account Management 4741, 4743
      Account Management Audit Distribution Group Management 4753, 4763
      Account Management Audit Security Group Management 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758
      Account Management Audit User Account Management 4726
      DS Access Audit Directory Service Access 4662 - For this event, it's also necessary to Configure object auditing.
      System Audit Security System Extension 7045

      For example, to configure Audit Security Group Management, under Account Management, double-click Audit Security Group Management, and then select Configure the following audit events for both Success and Failure events.

      Audit Security Group Management.

  5. From an elevated command prompt type gpupdate.

    Note

    This step should be performed on all domain controllers in the domain, or you can wait for the next refresh cycle to update them (by default within 90 minutes)

  6. After applying via GPO, the new events are visible in the Event Viewer, under Windows Logs -> Security.

Note

If you choose to use a local security policy instead of using a group policy, make sure to add the Account Logon, Account Management, and Security Options audit logs in your local policy. If you are configuring the advanced audit policy, make sure to force the audit policy subcategory.

Event ID 8004

To audit Event ID 8004, additional configuration steps are required.

Note

  • Domain group policies to collect Windows Event 8004 should only be applied to domain controllers.
  • When Windows Event 8004 is parsed by Defender for Identity Sensor, Defender for Identity NTLM authentications activities are enriched with the server accessed data.
  1. Following the steps above, open Group Policy Management and navigate to the Default Domain Controllers Policy.

  2. Go to Local Policies > Security Options.

  3. Under Security Options, configure the specified security policies, as follows

    Security policy setting Value
    Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all
    Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all
    Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enable auditing for all accounts

    For example, to configure Outgoing NTLM traffic to remote servers, under Security Options, double-click Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers, and then select Audit all.

    Audit Outgoing NTLM traffic to remote servers.

Event ID 1644

Microsoft Defender for Identity can monitor additional LDAP queries in your network. These LDAP activities are sent over the Active Directory Web Service protocol and act like normal LDAP queries. To have visibility into these activities, you need to enable event 1644 on your domain controllers. This event covers LDAP activities in your domain and is primarily used to identify expensive, inefficient, or slow Lightweight Directory Access Protocol (LDAP) searches that are serviced by Active Directory domain controllers.

Note

Logging the 1644 events may impact server performance. While the resource limitation feature can stop the Defender for Identity service if the server is running out of resources, it does not stop the event auditing at the operating system level. Therefore, to avoid performance issues, make sure your servers have sufficient memory, CPU, and disk resources.

Windows event 1644 isn't collected by default on domain controllers and needs to be manually activated to support this feature. This is done by creating these registry keys with the following values: 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics]
"15 Field Engineering"=dword:00000005

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"Expensive Search Results Threshold"=dword:00000001
"Inefficient Search Results Threshold"=dword:00000001
"Search Time Threshold (msecs)"=dword:00000001

Configure object auditing

To collect 4662 events, it's also necessary to configure object auditing on the user, group and computer objects. Here's an example for how to enable auditing on all users, groups, and computers in the Active Directory domain, but it can be also scoped by OU (organizational unit):

Note

It is important to review and verify your audit policies before enabling event collection to ensure that the domain controllers are properly configured to record the necessary events.

If configured properly, this auditing should have minimal effect on server performance.

  1. Go to the Active Directory Users and Computers console.

  2. Select the domain or OU that contains the users, groups, or computers you want to audit.

  3. Right-click the container (the domain or OU) and select Properties.

    Container properties.

  4. Go to the Security tab, and select Advanced.

    Advanced security properties.

  5. In Advanced Security Settings, choose the Auditing tab. Select Add.

    Select auditing tab.

  6. Click Select a principal.

    Select a principal.

  7. Under Enter the object name to select, type Everyone. Then select Check Names, and select OK.

    Select everyone.

  8. You'll then return to Auditing Entry. Make the following selections:

    • For Type select Success.

    • For Applies to select Descendant User objects.

    • Under Permissions, scroll down and select Clear all. Scroll up and select Full Control. All the permissions will be selected. Then uncheck the List contents, Read permissions, and Read all properties permissions. Then select OK. This will set all the Properties settings to Write. Now when triggered, all relevant changes to directory services will appear as 4662 events.

      Select permissions.

      Select properties.

  9. Then repeat the steps above, but for Applies to, select Descendant Group Objects, and then again for Descendant Computer Objects.

Auditing for specific detections

Some detections require auditing specific Active Directory objects. To do so, follow the steps above, but note the changes below regarding which objects to audit and which permissions to include.

Enable auditing on an ADFS object

  1. Go to the Active Directory Users and Computers console, and choose the domain you want to enable the logs on.

  2. Navigate to Program Data > Microsoft > ADFS.

    ADFS container.

  3. Right-click ADFS and select Properties.

  4. Go to the Security tab, and select Advanced.

  5. In Advanced Security Settings, choose the Auditing tab. Select Add.

  6. Click Select a principal.

  7. Under Enter the object name to select, type Everyone. Then select Check Names, and select OK.

  8. You'll then return to Auditing Entry. Make the following selections:

    • For Type select All.
    • For Applies to select This object and all descendant objects.
    • Under Permissions, scroll down and select Clear all. Scroll up and select Read all properties and Write all properties.

    Auditing settings for ADFS.

  9. Select OK.

Enable auditing on an Exchange object

  1. Open ADSI Edit. To do this, select Start, select Run, type ADSIEdit.msc, and then select OK.

  2. On the Action menu, select Connect to.

  3. In the Connection Settings dialog box under Select a well known Naming Context, select Configuration, and then select OK.

  4. Expand the Configuration container. Under the Configuration container, you'll see the Configuration node. It will begin with “CN=Configuration,DC=..."

  5. Right-click the Configuration node and select Properties.

    Configuration node properties.

  6. Go to the Security tab, and select Advanced.

  7. In Advanced Security Settings, choose the Auditing tab. Select Add.

  8. Click Select a principal.

  9. Under Enter the object name to select, type Everyone. Then select Check Names, and select OK.

  10. You'll then return to Auditing Entry. Make the following selections:

    • For Type select All.
    • For Applies to select This object and all descendant objects.
    • Under Permissions, scroll down and select Clear all. Scroll up and select Write all properties.

    Auditing settings for Configuration.

  11. Select OK.

Configure event collection

These events can be collected automatically by the Defender for Identity sensor or, if the Defender for Identity sensor isn't deployed, they can be forwarded to the Defender for Identity standalone sensor in one of the following ways:

Note

  • Defender for Identity standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Defender for Identity sensor.

Next steps