How to Install and configure the new Windows Audit package

Search another article?

How to Install and configure the new Windows Audit package

You are here:
< Back

Before you begin

If you started with SGBox from version 5.3.0 or above and/or if you have never installed the old SGBox Windows packages Windows package Base and Windows package Advanced, you don’t need to cleanup anything; just follow the standard installation steps.

However, if you’re an old SGBox customer, or if you’ve installed one or both of the old packages, a little cleanup procedure needs to be followed to avoid duplicate events. Please follow the instruction at the end of the “Windows Audit package installation” section.

Windows Audit package installation

To install the new Windows Audit package From SCM->Application->Packages find the package in the package list, click the Install button and then the Download and install button on the App Installation pop-up.

   

On the Windows Audit – Recommended installation panel, configure installation option as for your needs:

  1. Select the hosts from which you want to collect Windows Audit information from. These hosts will be automatically added to the Windows Audit Classes, so events collection can immediately start after the installation.
  2. Download the Group Policy configuration guide and follow the instruction to properly enable needed events collection.
  3. Insert the email address to which you want to forward LCE alert messages to.
  4. Check the flag if you want to have newly added/installed windows machines automatically added to SGBox Windows Audit classes.
  5. Click Install button to install the package.

To check the installation, please verify the existence of the following:

Dashboard Windows Audit – Directory Service Group Policy Activities
Windows Audit – Directory Service Object Activities
Windows Audit – Directory Service Object moved or undeleted
Windows Audit – Failed Logon Events
Windows Audit – Logon Activities
Windows Audit – PnP Device Activities
Windows Audit – Security Group Management
Windows Audit – Security Group Members Activities
Windows Audit – Security Users Events
Windows Audit – Session Activities
Windows Audit – User Account Management
New Classes Windows Audit – Directory Service
Windows Audit – Logon Activities
Windows Audit – Security Group Management
Windows Audit – User Account Management
Windows Audit – Windows Systems
Windows Audit – Security Events
Windows Audit – Security Log
LCE Windows Logon Anomalies
LCE Windows Security Events
LCE Windows User Anomalies
Correlation Rules [Win Audit] A disabled user was enabled and fails to logon
[Win Audit] A disabled user was enabled and logged on successfully
[Win Audit] Account created and deleted in a short time
[Win Audit] Account Locked Out
[Win Audit] Account logged on to a protected network
[Win Audit] Administrative Account Locked Out
[Win Audit] Administrative account login to multiple systems in a short time
[Win Audit] Administrative Interactive Logon out of hours
[Win Audit] Administrative User Password Change
[Win Audit] Administrative User Password Change non Working hours
[WIN Audit] Administrative User Password Reset
[Win Audit] Administrative User Password Reset non Working hours
[Win Audit] Administrator access from an Unauthorised workstation
[Win Audit] Administrator access from an Unauthorised workstation (out of hours)
[Win Audit] Event Log Backup
[Win Audit] Event Log Service Error
[Win Audit] Event Logging Service Shutdown
[Win Audit] Failed logon to a disabled account
[Win Audit] Failed logon to an expired account
[Win Audit] Multiple failed logon for the same user
[Win Audit] Multiple failed logon from the same IP
[Win Audit] Multiple failed logon on the same host
[Win Audit] Multiple logon failed followed by a successful one (same User same SourceIP same Host)
[Win Audit] Multiple logon failed followed by a successful one (same User same SourceIP)
[Win Audit] Multiple logon failed followed by a successful one (same User)
[Win Audit] Multiple logon for the same account in short time
[Win Audit] Multiple logon from the same IP Address in short time
[Win Audit] Multiple logon with different accounts from the same IP address
[Win Audit] Possible Password Spray Attack
[Win Audit] Probable Kerberoasting Attack (RC4 Ticket Encryption)
[Win Audit] Probable Pass-the-Hash Attack
[Win Audit] Security Log Cleared
[Win Audit] Security Log Full
[Win Audit] System Audit policy change
[Win Audit] Unauthorised account logged on out fo hours
[Win Audit] Unauthorised Account logged on to a protected network
[WIN Audit] User added to Domain Admins Group
[Win Audit] User added to Enterprise Admins Group
[Win Audit] User added to Global Group
[Win Audit] User added to Local Group
[Win Audit] User added to Universal Group
[Win Audit] User Interactive Logon out of hours
[Win Audit] User Removed from Global Group
[Win Audit] User removed from Local Group
[Win Audit] User removed from Universal Group
[Win Audit] User added to a Global Group and removed in a short time
[Win Audit] User added to a Local Group and removed in a short time
[Win Audit] User added to a Universal Group and removed in a short time
Sensors [Win Audit] High number of Failed logon (same IP)
[Win Audit] High number of Failed logon (same User)
[Win Audit] High number of Failed logon (same Workstation)
[Win Audit] High number of Locked Out Users (same Domain)
Multiclass Templates [Win Audit][Dash] Directory Service GPO activities
[Win Audit][Dash] Directory Service Object Activities
[Win Audit][Dash] Directory Service Object moved or undeleted
[Win Audit][Report] Account Created
[Win Audit][Report] Account Deleted
[Win Audit][Report] Account Disabled
[Win Audit][Report] Account Enabled
[Win Audit][Report] Account Locked Out
[Win Audit][Report] Account Logon Failed
[Win Audit][Report] Account Logon/Logoff
[Win Audit][Report] Account password Changed
[Win Audit][Report] Account Password Reset
[Win Audit][Report] Account Unlocked
[Win Audit][Report] Directory Service GPO Activity
[Win Audit][Report] Global Group Created
[Win Audit][Report] Global Group Deleted
[Win Audit][Report] Local Group Created
[Win Audit][Report] Local Group Deleted
[Win Audit][Report] Member Added to Global Group
[Win Audit][Report] Member Added to Local Group
[Win Audit][Report] Member Added to Universal Group
[Win Audit][Report] Member Removed from Global Group
[Win Audit][Report] Member Removed from Local Group
[Win Audit][Report] Member Removed from Universal Group
[Win Audit][Report] sAM Account Name Changed
[Win Audit][Report] Universal Group Created
[Win Audit][Report] Universal Group Deleted
[Win Audit][Report] USB External device mounted
[Win Audit][Report] USB External DiskDrive mounted
Windows Agent Configuration Audit – Logon Activity
Audit – Security Group Management
Audit – Security Log
Audit – User Account Management
Audit – Directory Service
Audit – Windows Systems
Audit – Security Events

Post installation considerations

We need also to make sure that the new Windows Agent Configuration are correctly bound to the relative windows hosts. Go to LM->Configuration->Agents and check that everything is fine.

Open the Microsoft Windows (SGBox agent) Asset (1) and verify that all the needed “configurations” (2) are properly assigned to to your Windows devices. Don’t forget to click the Save Changes button, in the bottom-left corner, if you did any change.

To eventually force the system to push configurations to the Agents, simply remove and newly add a Configuration from a device of your choice, and finally click the Save Changes button.

 

Please note that for events collection to be effective, it is necessary to appropriately configure both the Group Policies and the Object-level Access auditing. Here below the link to the configuration guide:

Old Windows package cleanup instruction

If you have installed one or both of the old SGBox Windows packages Windows package Base and Windows package Advanced, you need to configure the following to avoid duplicate events generation:

Deactivate old packages’s classes

From LM->Configuration->Class uncheck the Active flag for the following classes:

  • Windows logon events
  • Windows user events
  • Windows File Access
  • Windows Task Scheduler
  • Windows Audit Policy
  • Windows GPO

After verifying that everything works as expected with the new Windows Audit package, you may want to remove old objects to keep the environment clean.

Clean old Classes

From LM->Configuration->Class delete the previously deactivated classes:

  • Windows logon events
  • Windows user events
  • Windows File Access
  • Windows Task Scheduler
  • Windows Audit Policy
  • Windows GPO

Clean old Dashboards

From the Dashboard list delete the following dashboards:

  • Top 10 windows user logon events
  • Windows User Operations
  • Windows user related issue

Clean old Correlation Rules

From LCE->Rules delete the following rules:

  • Windows User Added to Group
  • Windows User Password Changed
  • Windows User Password Reset
  • Windows User Removed from group
  • Windows Audit Policy Changed

Clean old Agent Configuration

From LM->Configuration->Agents remove the following configurations:

  • Windows logon events
  • Windows user events
  • Windows Audit Policy
  • Windows GPO

Clean old Windows packages

Identify and remove old Windows packages by clicking on the trash in the upper-right corner of each package box

Please note that deleting the package will not remove package objects, so the previous point by point cleanup is necessary.