ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Read now
Azure Active DirectoryAzure AD Security

Event collection with Microsoft Defender for Identity

June 5, 2024

Understanding Windows event logs

Windows event logs are detailed records of events occurring in a Windows operating system, arranged chronologically for easy identification. These logs include both hardware and software events related to the system, security, and applications. By monitoring Windows event logs, network engineers can:

  • Track any system failures or errors
  • Investigate threats, attacks, or unauthorized activities
  • Perform effective diagnoses and resolve system issues
  • Foresee future issues based on current event log data

What is Microsoft Defender for Identity?

Formerly known as Azure Advanced Threat Protection (Azure ATP), Microsoft Defender for Identity (MDI) is a cloud-based security solution from Microsoft. It helps organizations monitor identities with high security in both on-premises and hybrid environments. With modern Identity Threat Detection and Response (ITDR), your organization’s security operation teams can prevent, detect, investigate, and respond to data breaches, threats, and attacks. By analyzing user profiles and security reports, MDI provides relevant insights on identity configurations, helping understand identity structures and suggesting best practices to enhance security.

How Microsoft Defender for Identity uses Windows event logs

MDI collects information about system events from Windows event logs to enhance security. For domain controllers to collect these specific events, you need to enable Advanced Audit Policy settings using a group policy.

Steps to enable advanced audit policy

Follow these steps to enable Advanced Audit Policy settings:

  1. Sign in to a Domain Controller or a server with GPMC access using Domain Administrator credentials.
  2. Navigate to Server Manager > Tools > Group Policy Management.
  3. In the left pane, right-click on Domain Controllers Organizational Units and select Create a GPO in this domain, and Link it here.
  4. In the New GPO window, enter a name for the new policy in the Name field and click OK.
  5. Right-click on the new policy and click Edit.
  6. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies to view various policy settings.
  7. Enable the policy settings given in the table below for both success and failure audit events and click OK.

Policy settings table:

Policy

Policy Setting

Account Logon

Audit Credential Validation

Account Management

 

Audit Computer Account Management

Audit Distribution Group Management

Audit Security Group Management

Audit User Account Management

DS Access

Audit Directory Service Access

System

Audit Security System Extension

By following the steps above, you can configure Windows event collection for Microsoft Defender for Identity. This enhances your organization’s security by providing insights from Windows event logs, enabling proactive monitoring and response to potential threats.

Related posts
Azure Active DirectoryAzure AD Best practices

Azure Backup - An overview

July 24, 2024
Azure Active DirectoryAzure AD Best practices

How to configure machine backups with Azure

July 23, 2024
Azure Active DirectoryAzure AD Best practices

How to monitor and backup Azure resources

July 23, 2024
Azure Active DirectoryAzure AD Management

How to implement app registration in Microsoft Entra ID

June 11, 2024
×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.