Reports |
New keys |
Audit policies |
Other prerequisites |
Application Whitelisting Reports |
Microsoft-Windows-AppLocker/EXEandDLL Microsoft-Windows-AppLocker/MSI and Script |
Enable AppLocker under Application Control Policies |
- Start the service Application Identity.
- On creation of the two new keys, a event source Microsoft-Windows-AppLocker/EXEandDLL will be created on the left panel. Right click on the event source, click Properties, and copy the Log path.
- Then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-AppLocker/EXE and DLL, and create an expandable string value with name File. Use the copied log path from the previous step as Value data.
- Configure the Executable rules, Windows Installer rules, and Script rules under the mentioned audit policies.
- Restart the machine.
|
Windows Firewall Auditing Reports |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
Enable Audit MPSSVC Rule - Level Policy change, under Advanced Audit Policy Configuration > Policy Change. |
|
Removable Disk Auditing |
Microsoft-Windows-DriverFrameworks-UserMode/Operational |
Enable Audit Handle Manipulation and Audit Removable Storage, under Advanced Audit Policy Configuration > Object Access. |
Set SACL for the removable disk by right-clicking on the required folder and navigating to Property > Security tab > Advanced > Auditing. |
Registry changes |
|
Enable Audit Registry, under Advanced Audit Policy Configuration > Object Access. |
Set SACL for the registry key by right-clicking on the required registry and navigating to Permission > Advance > Auditing in Registry Editor. |
Windows Backup & Restore Reports |
Microsoft-Windows-Backup |
No modification required. |
|
Windows System Events |
Microsoft-Windows-GroupPolicy/Operational
Microsoft-Windows-NetworkProfile/Operational
Microsoft-Windows-WindowsUpdateClient/Operational
Microsoft-Windows-Winlogon/Operational
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-TerminalServices-Gateway/Operational
Microsoft-Windows-TerminalServices-RDPClient/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Microsoft-Windows-Wired-AutoConfig/Operational
|
No modification required. |
|
Hyper-V Server Events Hyper-V VM Management Reports |
Microsoft-Windows-Hyper-V-Worker-Admin
Microsoft-Windows-Hyper-V-VMMS-Storage
Microsoft-Windows-Hyper-V-VMMS-Networking
Microsoft-Windows-Hyper-V-VMMS-Admin
Microsoft-Windows-Hyper-V-Hypervisor-Operational
|
No modification required. |
|
Program Inventory Reports |
Microsoft-Windows-Application-Experience/Program-Inventory |
No modification required. |
|
IIS |
Microsoft-IIS-Configuration/Operational |
No modification required. |
To access IIS reports, open EventLog Analyzer and navigate to Reports > IIS W3C web server > IIS Admin Configuration Reports. |
Print service |
Microsoft-Windows-PrintService/Operational,
Microsoft-Windows-PrintService/Admin |
No modification required. |
|
Terminal |
Microsoft-Windows-TerminalServices-Gateway/Operational |
No modification required. |
|