Splunk Enterprise Security

What's the best practice to configure a windows system to collect data with the Splunk platform?

Splunk Employee
Splunk Employee

Why do I need to configure the Windows event log audit policy and how do I make sure that I capture the correct events?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

*The Splunk Product Best Practices team provided this response. Read more about [How

Crowdsourcing is Shaping the Future of Splunk Best Practices](https://www.splunk.com/blog/2019/02/25/how-crowdsourcing-is-shaping-the-future-of-splunk-best-practi...

The Windows default event log configuration may not generate log data for the events you need. Therefore, it's a best practice to review the Recommended Audit Policies by Operating System on the Microsoft website and make the required changes for your deployment.

If you're new to collecting Windows endpoint event log data with the Splunk platform, then review Monitor Windows event log data in the Getting Data In manual and What are the best practices for installing Splunk on Windows endpoints?

Configure Windows event log audit policy and event logs to capture the correct event

Changing your Windows event log audit policy impacts the event log traffic. If you need to change the audit policy, use the Group Policy feature or the configuration management tools of your choice. To see an example of using the group policy objects (GPO), see the Step-By-Step: Enabling Advanced Security Audit Policy via DS Access blog post on the Microsoft | TelNet website.

See How do I collect basic Windows OS Event Log data from my Windows systems? for best practices for collecting Windows end point log data with the Splunk platform.

Go beyond the default audit policy

Change the default settings to the baseline or stronger audit policy settings to meet the needs of your deployment. Configure non-standard logging to meet your security use case requirements. For example, if
your corporate policy prohibits using a USB or external devices, then enable the Audit Removable Storage. For example, see Monitor the use of removable storage devices on the Microsoft website.

Verify your changes

Consider testing the changes before adding them to your production environment. To test the changes, view the event logs to ensure the required messages display or review the related Microsoft documentation to find a procedure to verify your changes.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

*The Splunk Product Best Practices team provided this response. Read more about [How

Crowdsourcing is Shaping the Future of Splunk Best Practices](https://www.splunk.com/blog/2019/02/25/how-crowdsourcing-is-shaping-the-future-of-splunk-best-practi...

The Windows default event log configuration may not generate log data for the events you need. Therefore, it's a best practice to review the Recommended Audit Policies by Operating System on the Microsoft website and make the required changes for your deployment.

If you're new to collecting Windows endpoint event log data with the Splunk platform, then review Monitor Windows event log data in the Getting Data In manual and What are the best practices for installing Splunk on Windows endpoints?

Configure Windows event log audit policy and event logs to capture the correct event

Changing your Windows event log audit policy impacts the event log traffic. If you need to change the audit policy, use the Group Policy feature or the configuration management tools of your choice. To see an example of using the group policy objects (GPO), see the Step-By-Step: Enabling Advanced Security Audit Policy via DS Access blog post on the Microsoft | TelNet website.

See How do I collect basic Windows OS Event Log data from my Windows systems? for best practices for collecting Windows end point log data with the Splunk platform.

Go beyond the default audit policy

Change the default settings to the baseline or stronger audit policy settings to meet the needs of your deployment. Configure non-standard logging to meet your security use case requirements. For example, if
your corporate policy prohibits using a USB or external devices, then enable the Audit Removable Storage. For example, see Monitor the use of removable storage devices on the Microsoft website.

Verify your changes

Consider testing the changes before adding them to your production environment. To test the changes, view the event logs to ensure the required messages display or review the related Microsoft documentation to find a procedure to verify your changes.

View solution in original post

0 Karma