Set up local machine security auditing without GPO - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-12-30
Category
Administrator Guide

To enable collection of event logs on a local machine without GPO, use the following command in an administrator command prompt:

auditpol /set /subcategory:[subcategory] /success:enable /failure:enable

Replace [subcategory] with the subcategories in the following table.

Event IDs

Audit Policy

Subcategory

Additional configuration needed

4776, 4822, 4823

Account Logon

Audit Credential Validation

4768, 4771, 4824

Account Logon

Audit Kerberos Authentication Service

DCs only

4769, 4770, 4821

Account Logon

Audit Kerberos Service Ticket Operations

DCs only

4741, 4742, 4743

Account Management

Audit Computer Account Management

DCs only

4727, 4728, 4729, 4731, 4732, 4733, 4735, 4737, 4754, 4755, 4756, 4757, 4764, 4799

Account Management

Audit Security Group Management

4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781

Account Management

Audit User Account Management

4662

DS Access

Audit Directory Service Access

Additional setup for Active Directory Certificate Services (ADCS) events

DCs only

4634, 4647

Logon/Logoff

Audit Logoff

4624, 4625, 4648

Logon/Logoff

Audit Logon

4649, 4778, 4800, 4801, 4802, 4803

Logon/Logoff

Audit Other Logon/Logoff Events

4672

Logon/Logoff

Audit Special Logon

4880, 4881, 4885, 4886, 4887, 4888, 4896, 4898, 4899, 4900

Object Access

Audit Certification Services

Additional setup for Active Directory Certificate Services (ADCS) events

5140

Object Access

Audit File Share

4698, 4702

Object Access

Audit Other Object Access Events

4713

Policy Change

Audit Authentication Policy Change

4616

System

Audit Security State Change

1102

System

Other System Events

Enabled by default