From the Field: Default Logging

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments

💥 𝟰𝟳.𝟲% of infrastructures I’ve assessed 𝗱𝗼𝗻’𝘁 𝗲𝘅𝘁𝗲𝗻𝗱 𝗱𝗲𝗳𝗮𝘂𝗹𝘁 𝗮𝘂𝗱𝗶𝘁𝗶𝗻𝗴 𝗼𝗻 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗗𝗲𝘀𝗸𝘁𝗼𝗽 & 𝗦𝗲𝗿𝘃𝗲𝗿

Auditing is one of the most misunderstood areas in Windows environments. By default, too little is logged; turn everything on and you drown in noise. Finding the right balance is critical — especially if you forward logs for later analysis.

So how do you tackle this? Two good approaches:

1️⃣ 𝗙𝗼𝗹𝗹𝗼𝘄 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁’𝘀 𝗿𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗮𝘁𝗶𝗼𝗻𝘀

🔹 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲𝘀:

https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines

🔸 𝗔𝘂𝗱𝗶𝘁 𝗣𝗼𝗹𝗶𝗰𝘆 𝗚𝘂𝗶𝗱𝗮𝗻𝗰𝗲:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations?tabs=winclient

⚠️ 𝗧𝗵𝗶𝘀 𝗴𝘂𝗶𝗱𝗮𝗻𝗰𝗲 𝘄𝗮𝘀 𝗻𝗼𝘁 𝗿𝗲𝗹𝗶𝗮𝗯𝗹𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗽𝗮𝘀𝘁 due to errors/contradictions. There’s been an update, but I haven’t validated it yet. Use carefully, and remember it isn’t tailored to your industry or risks.

2️⃣ 𝗨𝘀𝗲 𝘁𝗵𝗲 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗳𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸

Map relevant APT groups/TTPs for your region and sector and configure auditing around those. Not simple — which is why I built 𝗧𝗵𝗿𝗲𝗮𝘁𝗟𝗼𝗴 to make it easier:

https://academy.horizon-secured.com/p/threatlog

This gives you auditing aligned with your company’s threat profile. Of course, 𝗻𝗼𝘁𝗵𝗶𝗻𝗴 𝗶𝘀 𝟭𝟬𝟬%, 𝗮𝗻𝗱 𝗮𝘂𝗱𝗶𝘁𝗶𝗻𝗴 𝗶𝘀 𝗻𝗼𝘁 𝗮 “𝘀𝗲𝘁 𝗼𝗻𝗰𝗲 𝗮𝗻𝗱 𝗳𝗼𝗿𝗴𝗲𝘁” 𝘁𝗮𝘀𝗸 — it should evolve with your infra.

𝗬𝗼𝘂 𝘀𝗵𝗼𝘂𝗹𝗱 𝗮𝗹𝘀𝗼 𝗲𝘅𝘁𝗲𝗻𝗱 𝘄𝗶𝘁𝗵 𝗦𝘆𝘀𝗺𝗼𝗻:

https://academy.horizon-secured.com/p/windows-infrastructure-security-guides

📑 𝗙𝘂𝗹𝗹 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗔𝘂𝗱𝗶𝘁𝗶𝗻𝗴 𝗰𝗮𝘁𝗲𝗴𝗼𝗿𝗶𝗲𝘀:

https://academy.horizon-secured.com/p/advanced-audit-policy-configuration-table

💡 If your ThreatLog access expired (30 days), just let me know and I’ll restart it for you.