This document is intended to help you create a GPO you can push to your Windows endpoints and start gathering much more rich, verbose logging data. As I recently discussed on the podcast, Windows is a bit lacking in how much information gets logged in its out-of-the-box config.
Note: much of these settings were discovered when using the great LOG-MD tool, which you can download for free.
Computer Configuration > Policies > Windows Settings > Security Settings > Event Log
- Maximum log application size: 256000 KB
- Maximum security log size: 512000 KB
- Maximum system log size: 256000 KB
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Audit Policies > Account Management
- Audit user account management: Success, Failure
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Audit Policies > Detailed Tracking
- Audit Process Creation: Success
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Audit Policies > Logon/Logoff
- Audit Account Lockout: Success and Failure
- Audit Logoff: Success and Failure
- Audit Logon: Success and Failure
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Audit Policies > Object Access
- Audit Detailed File Share: Success
- Audit File Share: Success
- Audit File System: Success
- Audit Filtering Platform Connection: Success
- Audit Registry: Success
Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation
- Include command line in process creation events: Enabled
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
- Turn on module logging: Enabled
- Module names:
*
- Turn on PowerShell Script Block Logging: Enabled
- Turn on PowerShell Transcription: Enabled
- Transcript output directory:
C:\somewhere\