Configure Windows Event collection

Microsoft Defender for Identity detection relies on specific Windows Event log entries to enhance some detections and provide additional information on who performed specific actions such as NTLM logons, security group modifications, and similar events. For the correct events to be audited and included in the Windows Event Log, your domain controllers require accurate Advanced Audit Policy settings. Incorrect Advanced Audit Policy settings can lead to the required events not being recorded in the Event Log and result in incomplete Defender for Identity coverage.

To enhance threat detection capabilities, Defender for Identity needs the following Windows Events to be configured and collected by Defender for Identity:

For Active Directory Federation Services (AD FS) events

  • 1202 - The Federation Service validated a new credential
  • 1203 - The Federation Service failed to validate a new credential
  • 4624 - An account was successfully logged on
  • 4625 - An account failed to log on

For Other events

  • 4662 - An operation was performed on an object
  • 4726 - User Account Deleted
  • 4728 - Member Added to Global Security Group
  • 4729 - Member Removed from Global Security Group
  • 4730 - Global Security Group Deleted
  • 4732 - Member Added to Local Security Group
  • 4733 - Member Removed from Local Security Group
  • 4741 - Computer Account Added
  • 4743 - Computer Account Deleted
  • 4753 - Global Distribution Group Deleted
  • 4756 - Member Added to Universal Security Group
  • 4757 - Member Removed from Universal Security Group
  • 4758 - Universal Security Group Deleted
  • 4763 - Universal Distribution Group Deleted
  • 4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
  • 7045 - New Service Installed
  • 8004 - NTLM Authentication

Configure audit policies

Modify the Advanced Audit Policies of your domain controller using the following instructions:

  1. Log in to the Server as Domain Administrator.

  2. Load the Group Policy Management Editor from Server Manager > Tools > Group Policy Management.

  3. Expand the Domain Controllers Organizational Units, right-click on Default Domain Controllers Policy, and then select Edit.

    Note

    You can use the Default Domain Controllers Policy or a dedicated GPO to set these policies.

    Edit domain controller policy.

  4. From the window that opens, go to Computer Configuration > Policies > Windows Settings > Security Settings and depending on the policy you want to enable, do the following:

    For Advanced Audit Policy Configuration

    1. Go to Advanced Audit Policy Configuration > Audit Policies. Advanced Audit Policy Configuration.

    2. Under Audit Policies, edit each of the following policies and select Configure the following audit events for both Success and Failure events.

      Audit policy Subcategory Triggers event IDs
      Account Logon Audit Credential Validation 4776
      Account Management Audit Computer Account Management 4741, 4743
      Account Management Audit Distribution Group Management 4753, 4763
      Account Management Audit Security Group Management 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758
      Account Management Audit User Account Management 4726
      DS Access Audit Directory Service Access 4662
      System Audit Security System Extension 7045

      For example, to configure Audit Security Group Management, under Account Management, double-click Audit Security Group Management, and then select Configure the following audit events for both Success and Failure events.

      Audit Security Group Management.

    For Local Policies (Event ID: 8004)

    Note

    • Domain group policies to collect Windows Event 8004 should only be applied to domain controllers.
    • When Windows Event 8004 is parsed by Defender for Identity Sensor, Defender for Identity NTLM authentications activities are enriched with the server accessed data.
    1. Go to Local Policies > Security Options.

    2. Under Security Options, configure the specified security policies, as follows

      Security policy setting Value
      Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all
      Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all
      Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enable auditing for all accounts

      For example, to configure Outgoing NTLM traffic to remote servers, under Security Options, double-click Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers, and then select Audit all.

      Audit Outgoing NTLM traffic to remote servers.

    Note

    If you choose to use a local security policy instead of using a group policy, make sure to add the Account Logon, Account Management, and Security Options audit logs in your local policy. If you are configuring the advanced audit policy, make sure to force the audit policy subcategory.

  5. After applying via GPO, the new events are visible under your Windows Event logs.

Configure event collection

These events can be collected automatically by the Defender for Identity sensor or, if the Defender for Identity sensor is not deployed, they can be forwarded to the Defender for Identity standalone sensor in one of the following ways:

Note

  • Defender for Identity standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Defender for Identity sensor.
  • It is important to review and verify your audit policies before enabling event collection to ensure that the domain controllers are properly configured to record the necessary events.

See Also