Microsoft Windows Operating System is by far the leader in corporate enterprises for market share, so with so many organizations using the Windows OS, it is worth exploring what opportunities exist to get more value from features that are already built-in and available.
One of the most common configuration options available that is often overlooked altogether or taken for granted, is the built-in Microsoft Windows Advanced Logging capabilities.
Why turn on Microsoft Windows Advanced Logging features?
Enabling Windows Advanced Logging opens the doors to an incredible amount of insightful data that provides visibility into an environment from an IT security perspective. Turning on the data flow from Windows Advanced Logging vastly increases the volume of system logs which can be tracked and searched for malicious activity.
Without Windows Advanced Logging enabled, many different system attacks and malicious activities may go unnoticed. Examples include
- Brute-force authentication attempts
- Command and control traffic
- Modification of GPOs
- Installation of software
- Users being added to admin groups with escalated privileges to maintain a persistent connection on an endpoint
These benefits are especially useful for organizations utilizing a Security Information and Event Management (SIEM) Platform.
How to configure Windows Advanced Logging settings?
There is plenty of documentation available from Microsoft on how to effectively use Group Policies to ensure that the appropriate logging default settings can be setup once, and then the policy pushed to all end points. At Advanticom, our engineering team has created automation for this process with customized scripts that make the process of creating and editing these GPOs to enable the appropriate levels of advanced logging as simple as a few clicks.
What happens when you turn on the Windows Advanced Logging features?
Once the advanced logging has been enabled, by design, the Windows OS will generate more logs. Without adjusting the default retention periods within the Windows Event Viewer, these logs will quickly fill and begin to roll over, sometimes only going back a few hours. Unless you really enjoy scrolling through the logs for hours and hours a day, you are going to need a SIEM platform to ingest the logs and properly alert on what is most important.
A Security Information and Event Management (SIEM) platform can help retain the logs for an extended period beyond what the endpoints can retain before the logs roll over. More importantly, a SIEM platform will correlate these events against each other using both artificial intelligence and machine learning to identify anomalies and issue alerts.
Windows Advanced Logging with SIEM
Windows Advanced Logging helps to give SIEM solutions additional insight for events that would otherwise not be generated with standard Windows logging. Combining advanced auditing with log collection, correlation, alerting and reports gives security teams more data points and deeper insights. The additional logs produced by Windows Advanced Logging may even give the SIEM platform the visibility to identify a previously undetected intrusion. The increased volume of data increases the ability for the SIEM to perform and identify potential threats.
The SIEM platform keeps a record of all the logs. The vastly increased volume of logs increases the number of data points that can be searched. Effectively allowing engineers to go back to an event a few days ago or 35 days ago or even longer into the past to see what was happening which is critical during active security investigations.
Windows Advanced Logging during a Security Incident
While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data across multiple end points can be a major help to any security team that is performing a security incident investigation. The default logging enabled on a Microsoft Active Directory Domain and all endpoints within the domain doesn’t include a fraction of the helpful data that can be obtained when advanced logging is enabled. This data can be critical in uncovering how intruders moved through a network.
Enabling Windows Advanced Logging feature provides a tremendous amount of data to increase the visibility and awareness of events in your network. This often-unutilized feature can be a powerful lever to increase the protection of your organization.
To learn more about the built-in Windows Advanced Logging capabilities and its relationship to SIEM, please reach out to Advanticom to discuss.