Skip to main content
Skip table of contents

Core Threat Detection Deployment Guide – Configure Audit Logging Levels

Enable Windows Security Event Account Added to Group

  1. Under Administrative Tools on your machine, click Local Security Policy.
  2. Expand Local Policies, and then Audit Policy.
  3. Make sure Audit account management is set to audit Success events. Failure auditing is optional.

The following list provides some examples of audit account management events:

  • A user account or group is created, changed, or deleted.
  • A user account is renamed, disabled, or enabled.
  • A password is set or changed.

Enable Impersonation Event Logging

  1. To be able to detect when a user right-clicks on a program and clicks Run as administrator, the local audit policy must be configured for process tracking.
  2. Under Administrative Tools on your machine, click Local Security Policy.
  3. Expand Local Policies and then Audit Policy. Make sure Audit process tracking is set to audit Success events. Failure auditing is optional.
    This security setting audits detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
  4. On the Control Panel on your machine, click User Accounts.
  5. Click Turn User Account Control On or Off.
  6. Do one of the following:
    • On Windows 2008, select the Use User Account Control (UAC) check box to help protect your computer.
    • On Windows 7, slide the bar to the top to Always notify.

Configure Exchange Server Auditing Levels

Exchange Server 2000 / 2003 / 2007

  1. Open the Exchange System Manager and keep expanding the tree until the server object is visible.
  2. Right-click it, and then click Properties.
  3. On the Diagnostics Logging tab, expand MSExchangeIS, and then click Mailbox.
  4. Select the Logons and Access Control categories, and then set them to Maximum.

Exchange Server 2010 / 2013

  1. Open the Exchange Management Console, navigate to the exchange server, and then click the Server Configuration node.
  2. On the right side of the screen, click Manage Diagnostic Logging Properties.
  3. Scroll down and expand the MSExchangeIS node, expand the 9000 Private node, and increase the logging for Access Control and Logons to High.

Configure Linux Audit Logging

By default, most recent Linux distributions log the event of “user NOT in sudoers file” when a user tries to sudo without permission. The only requirement here is that LogRhythm collects the Auth.log via syslog, flat file, or syslog file log sources. The most common collection method is configuring a Syslog to send all facilities and severities to a LogRhythm System Monitor Agent.

Data Collection Requirements

To get the most out of this module, there are certain deployment and data collection requirements that should be met. Minimally, Active Directory or LDAP logs must be collected from the organization’s domain controller(s) or equivalent systems. This will allow only a limited number of AI Engine Rules to work effectively. To ensure all content works fully, and that rich forensic/contextual data is available for analysis, logs should be collected from all endpoints, either through remote Windows Event log collection, or by deploying LogRhythm System Monitor agents to individual endpoints. Deploying agents provides additional forensic visibility not available via the native logs alone. For information on remote Windows Event log collection, see Windows Event Log Collection.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.