https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467533#M7011 <P>*The Splunk Product Best Practices team provided this response. Read more about [How</P> <H2>Crowdsourcing is Shaping the Future of Splunk Best Practices](<A href="https://www.splunk.com/blog/2019/02/25/how-crowdsourcing-is-shaping-the-future-of-splunk-best-practices.html).*">https://www.splunk.com/blog/2019/02/25/how-crowdsourcing-is-shaping-the-future-of-splunk-best-practices.html).*</A></H2> <P>The Windows default event log configuration may not generate log data for the events you need. Therefore, it's a best practice to review the <A href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations#recommended-audit-policies-by-operating-systema">Recommended Audit Policies by Operating System</A> on the Microsoft website and make the required changes for your deployment.</P> <P>If you're new to collecting Windows endpoint event log data with the Splunk platform, then review <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata">Monitor Windows event log data</A> in the <EM>Getting Data In</EM> manual and <A href="https://answers.splunk.com/answers/743944/how-do-i-collect-basic-windows-os-event-log-data-f.html">What are the best practices for installing Splunk on Windows endpoints?</A></P> <H1>Configure Windows event log audit policy and event logs to capture the correct event</H1> <P>Changing your Windows event log audit policy impacts the event log traffic. If you need to change the audit policy, use the Group Policy feature or the configuration management tools of your choice. To see an example of using the group policy objects (GPO), see the <A href="https://blogs.technet.microsoft.com/canitpro/2017/03/29/step-by-step-enabling-advanced-security-audit-policy-via-ds-access/">Step-By-Step: Enabling Advanced Security Audit Policy via DS Access</A> blog post on the Microsoft | TelNet website.</P> <P>See <A href="https://answers.splunk.com/answers/743944/how-do-i-collect-basic-windows-os-event-log-data-f.html">How do I collect basic Windows OS Event Log data from my Windows systems?</A> for best practices for collecting Windows end point log data with the Splunk platform.</P> <H1>Go beyond the default audit policy</H1> <P>Change the default settings to the baseline or stronger audit policy settings to meet the needs of your deployment. Configure non-standard logging to meet your security use case requirements. For example, if<BR /> your corporate policy prohibits using a USB or external devices, then enable the <STRONG>Audit Removable Storage</STRONG>. For example, see <A href="https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices">Monitor the use of removable storage devices</A> on the Microsoft website.</P> <H1>Verify your changes</H1> <P>Consider testing the changes before adding them to your production environment. To test the changes, view the event logs to ensure the required messages display or review the related Microsoft documentation to find a procedure to verify your changes.</P> Tue, 29 Oct 2019 17:22:20 GMT kdamak_splunk 2019-10-29T17:22:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467532#M7010 <P>Why do I need to configure the Windows event log audit policy and how do I make sure that I capture the correct events?</P> Tue, 29 Oct 2019 17:18:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467532#M7010 kdamak_splunk 2019-10-29T17:18:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467533#M7011 <P>*The Splunk Product Best Practices team provided this response. Read more about [How</P> <H2>Crowdsourcing is Shaping the Future of Splunk Best Practices](<A href="https://www.splunk.com/blog/2019/02/25/how-crowdsourcing-is-shaping-the-future-of-splunk-best-practices.html).*">https://www.splunk.com/blog/2019/02/25/how-crowdsourcing-is-shaping-the-future-of-splunk-best-practices.html).*</A></H2> <P>The Windows default event log configuration may not generate log data for the events you need. Therefore, it's a best practice to review the <A href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations#recommended-audit-policies-by-operating-systema">Recommended Audit Policies by Operating System</A> on the Microsoft website and make the required changes for your deployment.</P> <P>If you're new to collecting Windows endpoint event log data with the Splunk platform, then review <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata">Monitor Windows event log data</A> in the <EM>Getting Data In</EM> manual and <A href="https://answers.splunk.com/answers/743944/how-do-i-collect-basic-windows-os-event-log-data-f.html">What are the best practices for installing Splunk on Windows endpoints?</A></P> <H1>Configure Windows event log audit policy and event logs to capture the correct event</H1> <P>Changing your Windows event log audit policy impacts the event log traffic. If you need to change the audit policy, use the Group Policy feature or the configuration management tools of your choice. To see an example of using the group policy objects (GPO), see the <A href="https://blogs.technet.microsoft.com/canitpro/2017/03/29/step-by-step-enabling-advanced-security-audit-policy-via-ds-access/">Step-By-Step: Enabling Advanced Security Audit Policy via DS Access</A> blog post on the Microsoft | TelNet website.</P> <P>See <A href="https://answers.splunk.com/answers/743944/how-do-i-collect-basic-windows-os-event-log-data-f.html">How do I collect basic Windows OS Event Log data from my Windows systems?</A> for best practices for collecting Windows end point log data with the Splunk platform.</P> <H1>Go beyond the default audit policy</H1> <P>Change the default settings to the baseline or stronger audit policy settings to meet the needs of your deployment. Configure non-standard logging to meet your security use case requirements. For example, if<BR /> your corporate policy prohibits using a USB or external devices, then enable the <STRONG>Audit Removable Storage</STRONG>. For example, see <A href="https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices">Monitor the use of removable storage devices</A> on the Microsoft website.</P> <H1>Verify your changes</H1> <P>Consider testing the changes before adding them to your production environment. To test the changes, view the event logs to ensure the required messages display or review the related Microsoft documentation to find a procedure to verify your changes.</P> Tue, 29 Oct 2019 17:22:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467533#M7011 kdamak_splunk 2019-10-29T17:22:20Z