Logmira: Windows Logging Policies for Better Threat Detection

Blumira’s Sr. Incident Response Engineer Amanda Berlin has created a free set of pre-configured Windows policy settings, called Logmira (available on Github), to help any organization easily increase log visibility for more effective threat detection and response.

At Blumira, we’re dedicated to making security easier and more automated. With these settings preconfigured, you can quickly import them into your environment to start collecting logs and detecting threats. If you want to learn more about Windows logging, register for our on-demand webinar Windows Logging Tips for Better Threat Detection.

Why the name Logmira? ‘Log’ refers to a record of system activity used to track security-related information (the basis of any security information and event management – SIEM tool), and ‘mira’ translates to “to look or see” in Spanish (the latter half of Blumira’s name origin).

What is Logmira?
A pre-built set of group policy configurations for advanced Windows logging, in the form of a GPO (Group Policy Object) backup file you can download, free from Blumira. These are created by Blumira’s security team as our recommendations to help increase Windows log visibility for threat detection, and to help meet compliance auditing requirements.

What is GPO?
A Group Policy Object (GPO) is a virtual collection of policy settings. Group Policy settings are contained within a GPO – a GPO can represent policy settings in the file system and Active Directory.

Why does an organization need this?
Windows has limited logging capabilities enabled by default. Traditionally, this is a manual process that doesn’t get implemented by system administrators, resulting in many organizations overlooking these important configuration steps.

What does it do?
It provides organizations running Windows with a way to automate the configuration of a group policy object that provides verbose log visibility for threat detection and compliance.

Why did we create it?
We couldn’t find this group of policy settings anywhere, so we created it ourselves by modifying a baseline model from Microsoft and a few other sources. Other vendors give you all of the settings and it takes about a half hour for administrators to set up.

Instead of following a list and manually modifying 100 or so settings, it’s way easier to just import it from a backup. We wanted to make it easy and automated for customers to import the settings into your environment and start configuring logs today.

What kind of attacker techniques can you start detecting?
Once configured, Blumira’s security platform can start detecting different attacker techniques, such as password spraying (seen below) and PowerShell malicious activity. We also provide guided workflows to help walk you through remediation.

How does it help with compliance?
With pre-built Windows log settings from Blumira, you can start collecting the most essential logs to help meet certain compliance requirements, like PCI DSS. Guidelines for logging are found in requirements 10.2.1 through 10.2.7, and can be mapped to different audit settings, as found in the Infosec Institute’s Windows Logging for PCI-DSS.

How do you import the policy settings?
This backup file gives you the logging recommendations and instructions. Watch our video below on how to download and import this template to help you set up your logs with the ideal configuration to start detecting and responding to threats today.

How to Optimize Windows Logging With GPO: A Step-by-Step Tutorial

 

Additional Resources

How to Optimize Windows Logging for Security – Here’s how to leverage built-in Microsoft logging capabilities to help you detect malicious activity and system attacks across your environment.

How to Enable Sysmon for Windows Logging and Security – With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.

Download Your Guide to Microsoft Security

To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.

In this guide, you’ll learn:

• How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
• How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
• Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
• What indicators of security threats you should be able to detect for Microsoft Azure and Office 365

# windows logging, GPO