LME icon indicating copy to clipboard operation
LME copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Identity Log Collection in Active Directory

Open rgbrow1949 opened this issue 11 months ago • 3 comments

Identity logs are highly valuable because they identify and describe the user and computer involved in incidents.

Can we collect more of this type log in Logging Made Easy?

Yes. All we need to do is activate certain policies in the Group Policy Management Editor for our pre-existing LME Server GPO. We should enable policies that will trip on events related to signing in and anything where accountability is important.

Then, edit the lme_wec_config.xml so that it will now collect and forward the policies we add too.

(A similar issue can be added to get the Entra identity logs from Azure Active Directory)

rgbrow1949 avatar Mar 22 '24 00:03 rgbrow1949

Events that may return identity logs can be found in the group policy management here:

Computer Config > Policies > Windows settings > security settings > advanced audit policy configuration > audit policies > (pick relevant)

rgbrow1949 avatar Mar 29 '24 22:03 rgbrow1949

This task is in three steps:

  1. Identify the list of events that we don't currently log that would provide valuable identity logs.
  2. Edit the Group Policy Objects to include events that we want to log from 1
  3. Edit the lme_wec_config.xml file to forward that type of event.

rgbrow1949 avatar Apr 04 '24 21:04 rgbrow1949

@rgbrow1949 as a watcher.

safiuddinr avatar May 13 '24 17:05 safiuddinr

Reopening to make a pull request on this

rgbrow1949 avatar Jun 03 '24 15:06 rgbrow1949