fbpx
Back Arrow Back to All Integrations

Advanced Microsoft Logging (GPO Template)

Advanced Microsoft Logging (GPO Template)

Logmira – Advanced Microsoft Logging GPO Template

Once certain group policy settings have been configured, Blumira can ingest advanced Microsoft Commandline and PowerShell module logging.

 

You can also use Logmira to easily import the pre-built settings. Logmira has been created as a helpful download of Microsoft Windows Domain Group Policy Object (GPO) settings.

 

This GPO backup includes our recommended Windows logging settings for all supported versions of MS Windows Server. As opposed to following a list and manually modifying 100 or so settings, it’s way easier to just import it from a backup.

Advanced Microsoft CommandLine & PowerShell Logging

For advanced Microsoft CommandLine and PowerShell module logging, make the following changes to group policy.

  1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
    Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
  2. User Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell > Enable and set module names to *
  3. If you also want to audit WMIC activity, you must run the following command on hosts that you want to collect WMIC tracing logs from. This must be run in an elevated prompt.

Wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true /q:true

Logmira: Easily Import Pre-Built GPO Settings

Logmira has been created as a helpful download of Microsoft Windows Domain Group Policy Object settings. This GPO backup includes our recommended windows logging settings for all supported versions of MS Windows Server. As opposed to following a list and manually modifying 100 or so settings, it’s way easier to just import it from a backup.

Visit GitHub to download the files and get more information.

Files

  • GPOLoggingImport.zip contains the full GPO backup of only the recommended windows logging settings
  • gporeport.xml is also included inside the zip, but gives an overview of the settings within the backup

Exporting a GPO

(what we’ve done to create GPOLoggingImport.zip, and what should be done for GPO Backups)

  1. To begin the export process, open up the group policy management console, navigate to the proper domain, expand group policy objects and select the group policy object that you’d like to export.
  2. Right-click and select Back Up.
  3. Select the location the backup will be exported to, and the description. Then click Back Up.
  4. The files are then exported to the location selected, click OK.

Importing a GPO

  1. After the file is on the local DC, navigate to the same place in group policy management (the proper domain and expand group policy objects).
    NOTE: Do not import settings on an existing GPO unless you want all settings overwritten by the import
  2. Create a NEW GPO by right-clicking on Group Policy Objects > New.
  3. Give the new GPO a name (for example: Logging Settings)
  4. Right-click on the new GPO>”Import Settings”
  5. Next > Next > Select the location where the backup was saved if it is not selected already > Next
  6. Select the “Logging Template” Backed up GPO > Next > Next > Finish

You should now have a GPO created that you can link to any OU in your domain to apply the correct logging settings.

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.

Free Trial