Enable Advanced Windows Security Auditing
Summary
Advanced Windows Security Auditing is a feature in Microsoft Windows that allows users to monitor and record events related to security. By enabling this feature, users can track and analyze security-related events in their systems. However, if this feature is not fully enabled, some security events may not be captured, leaving the system vulnerable to security threats.
The remote monitor will periodically check the system's security settings and trigger an alert on an endpoint if Advanced Windows Security Auditing is not fully enabled.
Details
Suggested "Limit to": Windows Machines
Suggested Alert Style: Once
Suggested Alert Template: Enable Advanced Windows Security Auditing
Script Enable Advanced Windows Security Auditing [Globals, Autofix] must be imported before creating the alert template.
Insert the details of the monitor in the table below.
| Check Action | Server Address | Check Type | Execute Info | Comparator | Interval | Result |
|---|---|---|---|---|---|---|
| system | 127.0.0.1 | Run File | See Below | Regex Match | 86400 | ^OK$ |
Execute Info:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "$ErroractionPreference= 'SilentlyContinue';$Auditing = (auditpol /get /category:'Logon/Logoff')[4..30];$psout = @(); foreach ($Audit in $Auditing) {if($Audit -NotMatch 'Success and Failure|^\s*$') { $psout += $Audit}}; return $psout"
Dependencies
Enable Advanced Windows Security Auditing [Globals, Autofix]
Target
Managed Windows Servers and Workstations