Blumira’s Sr. Incident Response Engineer Amanda Berlin has created a free set of pre-configured Windows policy settings, called Logmira (available on Github), to help any organization easily increase log visibility for more effective threat detection and response.

At Blumira, we’re dedicated to making security easier and more automated. With these settings preconfigured, you can quickly import them into your environment to start collecting logs and detecting threats. If you want to learn more about Windows logging, register for our webinar on June 18 at 1pm ET, Windows Logging Tips for Better Threat Detection.

Why the name Logmira? ‘Log’ refers to a record of system activity used to track security-related information (the basis of any security information and event management – SIEM tool), and ‘mira’ translates to “to look or see” in Spanish (the latter half of Blumira’s name origin).

What is Logmira?
A pre-built set of group policy configurations for advanced Windows logging, in the form of a GPO (Group Policy Object) backup file you can download, free from Blumira. These are created by Blumira’s security team as our recommendations to help increase Windows log visibility for threat detection, and to help meet compliance auditing requirements.

What is GPO?
A Group Policy Object (GPO) is a virtual collection of policy settings. Group Policy settings are contained within a GPO – a GPO can represent policy settings in the file system and Active Directory.

Why does an organization need this?
Windows has limited logging capabilities enabled by default. Traditionally, this is a manual process that doesn’t get implemented by system administrators, resulting in many organizations overlooking these important configuration steps.

What does it do?
It provides organizations running Windows with a way to automate the configuration of a group policy object that provides verbose log visibility for threat detection and compliance.

Why did we create it?
We couldn’t find this group of policy settings anywhere, so we created it ourselves by modifying a baseline model from Microsoft and a few other sources. Other vendors give you all of the settings and it takes about a half hour for administrators to set up.

Instead of following a list and manually modifying 100 or so settings, it’s way easier to just import it from a backup. We wanted to make it easy and automated for customers to import the settings into your environment and start configuring logs today.

What kind of attacker techniques can you start detecting?
Once configured, Blumira’s security platform can start detecting different attacker techniques, such as password spraying (seen below) and PowerShell malicious activity. We also provide guided workflows to help walk you through remediation.

How does it help with compliance?
With pre-built Windows log settings from Blumira, you can start collecting the most essential logs to help meet certain compliance requirements, like PCI DSS. Guidelines for logging are found in requirements 10.2.1 through 10.2.7, and can be mapped to different audit settings, as found in the Infosec Institute’s Windows Logging for PCI-DSS.

How do you import the policy settings?
This backup file gives you the logging recommendations and instructions. Watch our video below on how to download and import this template to help you set up your logs with the ideal configuration to start detecting and responding to threats today.

How to Optimize Windows Logging With GPO: A Step-by-Step Tutorial

 

Additional Resources

How to Optimize Windows Logging for Security – Here’s how to leverage built-in Microsoft logging capabilities to help you detect malicious activity and system attacks across your environment.

How to Enable Sysmon for Windows Logging and Security – With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.

Security news and stories right to your inbox!