审核策略建议Audit Policy Recommendations

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012、Windows 10、Windows 8.1、Windows 7Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 8.1, Windows 7

本部分介绍了 Windows 默认审核策略设置、基线建议的审核策略设置,以及 Microsoft 提供的更积极的建议,适用于工作站和服务器产品。This section addresses the Windows default audit policy settings, baseline recommended audit policy settings, and the more aggressive recommendations from Microsoft, for workstation and server products.

此处所示的 SCM 基线建议,以及建议用于帮助检测折衷的设置,旨在仅成为管理员的入门基线指南。The SCM baseline recommendations shown here, along with the settings we recommend to help detect compromise, are intended only to be a starting baseline guide to administrators. 每个组织都必须自行决定他们所面临的威胁、可接受的风险容差,以及他们应该启用哪些审核策略类别或子类别。Each organization must make its own decisions regarding the threats they face, their acceptable risk tolerances, and what audit policy categories or subcategories they should enable. 有关威胁的详细信息,请参阅 威胁和对策指南For further information about threats, refer to the Threats and Countermeasures Guide. 建议先使用此处建议的设置,然后在生产环境中实施之前修改和测试,而无需进行周密审核策略的管理员。Administrators without a thoughtful audit policy in place are encouraged to start with the settings recommended here, and then to modify and test, prior to implementing in their production environment.

建议适用于企业级计算机,Microsoft 将其定义为具有平均安全要求并且需要高级操作功能的计算机。The recommendations are for enterprise-class computers, which Microsoft defines as computers that have average security requirements and require a high level of operational functionality. 需要更高安全要求的实体应考虑更严格的审核策略。Entities needing higher security requirements should consider more aggressive audit policies.

备注

Microsoft Windows 默认值和基线建议是从 Microsoft 安全合规管理器工具获取的。Microsoft Windows defaults and baseline recommendations were taken from the Microsoft Security Compliance Manager tool.

以下基线审核策略设置适用于未知的安全计算机,这些计算机被确定为攻击者或恶意软件,这些计算机处于非活动状态、成功的攻击。The following baseline audit policy settings are recommended for normal security computers that are not known to be under active, successful attack by determined adversaries or malware.

本部分包含的表列出了适用于以下操作系统的审核设置建议:This section contains tables that list the audit setting recommendations that apply to the following operating systems:

  • Windows Server 2016Windows Server 2016
  • Windows Server 2012Windows Server 2012
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows 2008 ServerWindows Server 2008
  • Windows 10Windows 10
  • Windows 8.1Windows 8.1
  • Windows 7Windows 7

这些表包含 Windows 默认设置、基线建议以及这些操作系统的更强建议。These tables contain the Windows default setting, the baseline recommendations, and the stronger recommendations for these operating systems.

审核策略表图例Audit Policy Tables Legend

表示法Notation 建议Recommendation
YESYES 在一般情况下启用Enable in general scenarios
NO 在一般情况下 启用Do not enable in general scenarios
IFIF 对于特定方案,或在计算机上安装了所需审核的角色或功能时启用Enable if needed for a specific scenario, or if a role or feature for which auditing is desired is installed on the machine
DCDC 在域控制器上启用Enable on domain controllers
空字符[Blank] 无建议No recommendation

Windows 10、Windows 8 和 Windows 7 审核设置建议Windows 10, Windows 8, and Windows 7 Audit Settings Recommendations

审核策略Audit Policy

审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
帐户登录Account Logon
审核凭据验证Audit Credential Validation No \ | No Yes \ | No Yes \ | Yes
审核 Kerberos 身份验证服务Audit Kerberos Authentication Service Yes \ | Yes
审核 Kerberos 服务票证操作Audit Kerberos Service Ticket Operations Yes \ | Yes
审核其他帐户登录事件Audit Other Account Logon Events Yes \ | Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
帐户管理Account Management
审核应用程序组管理Audit Application Group Management
审核计算机帐户管理Audit Computer Account Management Yes \| No Yes \| Yes
审核分发组管理Audit Distribution Group Management
审核其他帐户管理事件Audit Other Account Management Events Yes \| No Yes \| Yes
审核安全组管理Audit Security Group Management Yes \| No Yes \| Yes
审核用户帐户管理Audit User Account Management Yes \| No Yes \| No Yes \| Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
详细跟踪Detailed Tracking
审核 DPAPI 活动Audit DPAPI Activity Yes \| Yes
审核进程创建Audit Process Creation Yes \| No Yes \| Yes
审核进程终止Audit Process Termination
审核 RPC 事件Audit RPC Events
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
DS 访问DS Access
审核详细的目录服务复制Audit Detailed Directory Service Replication
审核目录服务访问Audit Directory Service Access
审核目录服务更改Audit Directory Service Changes
审核目录服务复制Audit Directory Service Replication
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
登录和注销Logon and Logoff
审核帐户锁定Audit Account Lockout Yes \| No Yes \| No
审核用户/设备声明Audit User/Device Claims
审核 IPsec 扩展模式Audit IPsec Extended Mode
审核 IPsec 主模式Audit IPsec Main Mode IF \| IF
审核 IPsec 快速模式Audit IPsec Quick Mode
审核注销Audit Logoff Yes \| No Yes \| No Yes \| No
审核登录 1Audit Logon 1 Yes \| Yes Yes \| Yes Yes \| Yes
审核网络策略服务器Audit Network Policy Server Yes \| Yes
审核其他登录/注销事件Audit Other Logon/Logoff Events
审核特殊登录Audit Special Logon Yes \| No Yes \| No Yes \| Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
对象访问Object Access
审核生成的应用程序Audit Application Generated
审核证书服务Audit Certification Services
审核详细的文件共享Audit Detailed File Share
审核文件共享Audit File Share
审核文件系统Audit File System
审核筛选平台连接Audit Filtering Platform Connection
审核筛选平台数据包丢弃Audit Filtering Platform Packet Drop
审核句柄操作Audit Handle Manipulation
审核内核对象Audit Kernel Object
审核其他对象访问事件Audit Other Object Access Events
审核注册表Audit Registry
审核可移动存储Audit Removable Storage
审核 SAMAudit SAM
审核中心访问策略暂存Audit Central Access Policy Staging
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
策略更改Policy Change
审核审核策略更改Audit Audit Policy Change Yes \| No Yes \| Yes Yes \| Yes
审核身份验证策略更改Audit Authentication Policy Change Yes \| No Yes \| No Yes \| Yes
审核授权策略更改Audit Authorization Policy Change
审核筛选平台策略更改Audit Filtering Platform Policy Change
审核 MPSSVC 规则级别策略更改Audit MPSSVC Rule-Level Policy Change Yes
审核其他策略更改事件Audit Other Policy Change Events
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
特权使用Privilege Use
审核非敏感权限使用Audit Non Sensitive Privilege Use
审核其他权限使用事件Audit Other Privilege Use Events
审核敏感权限使用Audit Sensitive Privilege Use
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
系统System
审核 IPsec 驱动程序Audit IPsec Driver Yes \| Yes Yes \| Yes
审核其他系统事件Audit Other System Events Yes \| Yes
审核安全状态更改Audit Security State Change Yes \| No Yes \| Yes Yes \| Yes
审核安全系统扩展Audit Security System Extension Yes \| Yes Yes \| Yes
审核系统完整性Audit System Integrity Yes \| Yes Yes \| Yes Yes \| Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
全局对象访问审核Global Object Access Auditing
审核 IPsec 驱动程序Audit IPsec Driver
审核其他系统事件Audit Other System Events
审核安全状态更改Audit Security State Change
审核安全系统扩展Audit Security System Extension
审核系统完整性Audit System Integrity

1 从 Windows 10 版本1809开始,默认情况下为成功和失败启用了审核登录。1 Beginning with Windows 10 version 1809, Audit Logon is enabled by default for both Success and Failure. 在以前版本的 Windows 中,默认情况下仅启用成功。In previous versions of Windows, only Success is enabled by default.

Windows Server 2016,Windows Server 2012 R2,Windows Server 2012,Windows Server 2008 R2,Windows Server 2008 审核设置建议Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations

审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
帐户登录Account Logon
审核凭据验证Audit Credential Validation No \| No Yes \| Yes Yes \| Yes
审核 Kerberos 身份验证服务Audit Kerberos Authentication Service Yes \| Yes
审核 Kerberos 服务票证操作Audit Kerberos Service Ticket Operations Yes \| Yes
审核其他帐户登录事件Audit Other Account Logon Events Yes \| Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
帐户管理Account Management
审核应用程序组管理Audit Application Group Management
审核计算机帐户管理Audit Computer Account Management Yes \| DC Yes \| Yes
审核分发组管理Audit Distribution Group Management
审核其他帐户管理事件Audit Other Account Management Events Yes \| Yes Yes \| Yes
审核安全组管理Audit Security Group Management Yes \| Yes Yes \| Yes
审核用户帐户管理Audit User Account Management Yes \| No Yes \| Yes Yes \| Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
详细跟踪Detailed Tracking
审核 DPAPI 活动Audit DPAPI Activity Yes \| Yes
审核进程创建Audit Process Creation Yes \| No Yes \| Yes
审核进程终止Audit Process Termination
审核 RPC 事件Audit RPC Events
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
DS 访问DS Access
审核详细的目录服务复制Audit Detailed Directory Service Replication
审核目录服务访问Audit Directory Service Access DC \| DC DC \| DC
审核目录服务更改Audit Directory Service Changes DC \| DC DC \| DC
审核目录服务复制Audit Directory Service Replication
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
登录和注销Logon and Logoff
审核帐户锁定Audit Account Lockout Yes \| No Yes \| No
审核用户/设备声明Audit User/Device Claims
审核 IPsec 扩展模式Audit IPsec Extended Mode
审核 IPsec 主模式Audit IPsec Main Mode IF \| IF
审核 IPsec 快速模式Audit IPsec Quick Mode
审核注销Audit Logoff Yes \| No Yes \| No Yes \| No
审核登录Audit Logon Yes \| Yes Yes \| Yes Yes \| Yes
审核网络策略服务器Audit Network Policy Server Yes \| Yes
审核其他登录/注销事件Audit Other Logon/Logoff Events Yes \| Yes
审核特殊登录Audit Special Logon Yes \| No Yes \| No Yes \| Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
对象访问Object Access
审核生成的应用程序Audit Application Generated
审核证书服务Audit Certification Services
审核详细的文件共享Audit Detailed File Share
审核文件共享Audit File Share
审核文件系统Audit File System
审核筛选平台连接Audit Filtering Platform Connection
审核筛选平台数据包丢弃Audit Filtering Platform Packet Drop
审核句柄操作Audit Handle Manipulation
审核内核对象Audit Kernel Object
审核其他对象访问事件Audit Other Object Access Events
审核注册表Audit Registry
审核可移动存储Audit Removable Storage
审核 SAMAudit SAM
审核中心访问策略暂存Audit Central Access Policy Staging
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
策略更改Policy Change
审核审核策略更改Audit Audit Policy Change Yes \| No Yes \| Yes Yes \| Yes
审核身份验证策略更改Audit Authentication Policy Change Yes \| No Yes \| No Yes \| Yes
审核授权策略更改Audit Authorization Policy Change
审核筛选平台策略更改Audit Filtering Platform Policy Change
审核 MPSSVC 规则级别策略更改Audit MPSSVC Rule-Level Policy Change Yes
审核其他策略更改事件Audit Other Policy Change Events
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
特权使用Privilege Use
审核非敏感权限使用Audit Non Sensitive Privilege Use
审核其他权限使用事件Audit Other Privilege Use Events
审核敏感权限使用Audit Sensitive Privilege Use
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
系统System
审核 IPsec 驱动程序Audit IPsec Driver Yes \| Yes Yes \| Yes
审核其他系统事件Audit Other System Events Yes \| Yes
审核安全状态更改Audit Security State Change Yes \| No Yes \| Yes Yes \| Yes
审核安全系统扩展Audit Security System Extension Yes \| Yes Yes \| Yes
审核系统完整性Audit System Integrity Yes \| Yes Yes \| Yes Yes \| Yes
审核策略类别或子类别Audit Policy Category or Subcategory Windows 默认值Windows Default

辉煌`Success </span>

否则Failure` 基线建议Baseline Recommendation

辉煌`Success </span>

否则Failure` 更强建议Stronger Recommendation

辉煌`Success </span>

否则Failure`
全局对象访问审核Global Object Access Auditing
审核 IPsec 驱动程序Audit IPsec Driver
审核其他系统事件Audit Other System Events
审核安全状态更改Audit Security State Change
审核安全系统扩展Audit Security System Extension
审核系统完整性Audit System Integrity

在工作站和服务器上设置审核策略Set Audit Policy on Workstations and Servers

所有事件日志管理计划都应该监视工作站和服务器。All event log management plans should monitor workstations and servers. 常见的错误是仅监视服务器或域控制器。A common mistake is to only monitor servers or domain controllers. 由于恶意黑客最初常常发生在工作站上,因此不监视工作站会忽视最早和最早的信息源。Because malicious hacking often initially occurs on workstations, not monitoring workstations is ignoring the best and earliest source of information.

在生产环境中实施之前,管理员应周全审核并测试任何审核策略。Administrators should thoughtfully review and test any audit policy prior to implementation in their production environment.

要监视的事件Events to Monitor

用于生成安全警报的理想事件 ID 应该包含以下属性:A perfect event ID to generate a security alert should contain the following attributes:

  • 出现的可能性很大,指示未经授权的活动High likelihood that occurrence indicates unauthorized activity

  • 误报较少Low number of false positives

  • 出现情况应会导致调查/取证响应Occurrence should result in an investigative/forensics response

应监视和通知两种类型的事件:Two types of events should be monitored and alerted:

  1. 甚至出现一次的事件指示未经授权的活动Those events in which even a single occurrence indicates unauthorized activity

  2. 高于预期和接受的基线的事件的累积An accumulation of events above an expected and accepted baseline

第一个事件的一个示例是:An example of the first event is:

如果禁止域管理员 (DAs) 登录到不是域控制器的计算机,则出现一次登录到最终用户工作站的 DA 成员应会生成警报并进行调查。If Domain Admins (DAs) are forbidden from logging on to computers that are not domain controllers, a single occurrence of a DA member logging on to an end-user workstation should generate an alert and be investigated. 使用 "审核特殊登录事件 4964" 可以轻松生成这种类型的警报 (特殊组已分配给新的登录) 。This type of alert is easy to generate by using the Audit Special Logon event 4964 (Special groups have been assigned to a new logon). 单实例警报的其他示例包括:Other examples of single instance alerts include:

  • 如果服务器 A 不应连接到服务器 B,请在它们相互连接时发出警报。If Server A should never connect to Server B, alert when they connect to each other.

  • 如果将正常的最终用户帐户意外添加到敏感安全组,则发出警报。Alert if a normal end-user account is unexpectedly added to a sensitive security group.

  • 如果工厂位置 A 中的员工在晚上不起作用,则在用户午夜登录时发出警报。If employees in factory location A never work at night, alert when a user logs on at midnight.

  • 如果域控制器上安装了未经授权的服务,则发出警报。Alert if an unauthorized service is installed on a domain controller.

  • 调查定期最终用户是否尝试直接登录到其没有明确原因的 SQL Server 中。Investigate if a regular end-user attempts to directly log on to a SQL Server for which they have no clear reason for doing so.

  • 如果你没有 DA 组中的成员,并且某人将其添加到了那里,请立即进行检查。If you have no members in your DA group, and someone adds themselves there, check it immediately.

第二个事件的一个示例是:An example of the second event is:

Aberrant 失败的登录次数可能表明存在密码猜测攻击。An aberrant number of failed logons could indicate a password guessing attack. 为了使企业能够为发生异常大量失败的登录提供警报,在出现恶意安全事件之前,他们必须首先了解其环境中的失败登录的正常级别。For an enterprise to provide an alert for an unusually high number of failed logons, they must first understand the normal levels of failed logons within their environment prior to a malicious security event.

有关监视泄露迹象时应包括的事件的完整列表,请参阅 附录 L:要监视的事件For a comprehensive list of events that you should include when you monitor for signs of compromise, please see Appendix L: Events to Monitor.

要监视的 Active Directory 对象和属性Active Directory Objects and Attributes to Monitor

下面是你应该监视的帐户、组和属性,以帮助检测对 Active Directory 域服务安装的破坏尝试。The following are the accounts, groups, and attributes that you should monitor to help you detect attempts to compromise your Active Directory Domain Services installation.

  • 禁用或删除防病毒软件和反恶意软件的系统 (在手动禁用时自动重启保护) Systems for disabling or removal of antivirus and anti-malware software (automatically restart protection when it is manually disabled)

  • 管理员帐户进行未经授权的更改Administrator accounts for unauthorized changes

  • 使用特权帐户执行的活动 (在完成可疑活动或分配的时间已过期时自动删除帐户) Activities that are performed by using privileged accounts (automatically remove account when suspicious activities are completed or allotted time has expired)

  • AD DS 中的特权和 VIP 帐户。Privileged and VIP accounts in AD DS. 监视更改,尤其是对 "帐户" 选项卡上的属性所做的更改 (例如,cn、name、sAMAccountName、userPrincipalName 或 userAccountControl) 。Monitor for changes, particularly changes to attributes on the Account tab (for example, cn, name, sAMAccountName, userPrincipalName, or userAccountControl). 除了监视帐户之外,还可以将帐户的修改权限限制为尽可能少的一组管理用户。In addition to monitoring the accounts, restrict who can modify the accounts to as small a set of administrative users as possible.

有关要监视的建议事件的列表、其重要程度和事件消息摘要,请参阅 附录 L:要监视的事件Refer to Appendix L: Events to Monitor for a list of recommended events to monitor, their criticality ratings, and an event message summary.

  • 按服务器的工作负荷分类对服务器进行分组,这使你能够快速确定应该最密切监视的服务器和最得到配置的服务器Group servers by the classification of their workloads, which allows you to quickly identify the servers that should be the most closely monitored and most stringently configured

  • 更改以下 AD DS 组的属性和成员身份:企业管理员 (EA) 、域管理员 (DA) 、管理员 (BA) 和架构管理员 (SA) Changes to the properties and membership of following AD DS groups: Enterprise Admins (EA), Domain Admins (DA), Administrators (BA), and Schema Admins (SA)

  • 禁用的特权帐户 (例如 Active Directory 和成员系统上的内置管理员帐户) 用于启用帐户Disabled privileged accounts (such as built-in Administrator accounts in Active Directory and on member systems) for enabling the accounts

  • 用于将所有写入记录到帐户的管理帐户Management accounts to log all writes to the account

  • 内置安全配置向导,用于配置服务、注册表、审核和防火墙设置,以减少服务器的受攻击面。Built-in Security Configuration Wizard to configure service, registry, audit, and firewall settings to reduce the server's attack surface. 如果将跳转服务器作为管理主机策略的一部分实现,请使用此向导。Use this wizard if you implement jump servers as part of your administrative host strategy.

用于监视 Active Directory 域服务的其他信息Additional Information for Monitoring Active Directory Domain Services

查看以下链接,了解有关监视 AD DS 的其他信息:Review the following links for additional information about monitoring AD DS:

安全事件 ID 建议重要性的常规列表General List of Security Event ID Recommendation Criticalities

所有事件 ID 建议均伴随着严重级别,如下所示:All Event ID recommendations are accompanied by a criticality rating as follows:

高: 具有高严重性级别的事件 Id 应始终和立即发出警报并进行调查。High: Event IDs with a high criticality rating should always and immediately be alerted and investigated.

中: 具有中等重要性级别的事件 ID 可能表明存在恶意活动,但它必须附带一些其他异常情况 (例如,在特定时间段内发生的异常数字、意外的发生次数或通常不应记录事件的计算机上出现的错误。 ) 。Medium: An Event ID with a medium criticality rating could indicate malicious activity, but it must be accompanied by some other abnormality (for example, an unusual number occurring in a particular time period, unexpected occurrences, or occurrences on a computer that normally would not be expected to log the event.). 在一段时间内,也可以将 r 作为一个指标收集,并进行比较。A medium-criticality event may also r be collected as a metric and compared over time.

低: 具有低关键性事件的事件 ID 不应 garner 关注或导致警报,除非与中型或高严重性事件相关。Low: And Event ID with a low criticality events should not garner attention or cause alerts, unless correlated with medium or high criticality events.

这些建议旨在为管理员提供基线指南。These recommendations are meant to provide a baseline guide for the administrator. 在生产环境中实现之前,应仔细检查所有建议。All recommendations should be thoroughly reviewed prior to implementation in a production environment.

请参阅 附录 L:要监视的事件 列表,查看要监视的建议事件的列表、关键程度级别和事件消息摘要。Refer to Appendix L: Events to Monitor for a list of the recommended events to monitor, their criticality ratings, and an event message summary.