Skip to main content

Configure IT Infrastructure for Auditing and Monitoring

You can configure your IT Infrastructure for monitoring in one of the following ways:

  • Automatically when creating an organization. This is a recommended method.
  • Manually. The table below lists the native audit settings that must be adjusted manually to ensure collecting comprehensive and reliable audit data. You can enable Netwrix 1Secure to continually enforce the relevant audit policies or configure them manually.

| Data source | Provided connectors | Required configuration | | ----------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | ------------------------------------ | ------------------------ | --- | ----------------------------------------------------------- | -------- | --- | --------------------------- | ------------------------ | --- | ------------------------------ | ------------------------ | --- | --------------------------- | ------------------------ | --- | ----------------------------- | ------------------------ | --- | -------- | ------------------------ | --- | -------------------- | ------------------------ | --- | ---------------- | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | ------------------- | --- | --- | ------------- | --- | --- | ---------------- | ----------- | --- | ----------------- | --------------------------- | --- | ------------------------- | --------------------------- | --- | ------------ | --- | --- | ----- | ----------- | --- | ------ | ----------- | --- | ------------- | --- | --- | ------------------------- | ----------- | --- | ------ | --- | --- | --------------------- | ----------- | --- | -------------------------------------------- | --- | --- | ------------- | --- | --- | ---------------- | ----------- | --- | ----------------- | --------------------------- | --- | ------------------------- | --------------------------- | --- | ------------------------- | ----------- | --- | ------------ | --- | --- | ----- | ----------- | --- | ------ | ----------- | --- | ------------- | --- | --- | ------------------------- | ----------- | --- | ------ | --- | --- | --------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | ------------- | --- | --- | ----------------- | ----------- | --- | ------------------------- | --------- | --- | ---------------- | --------- | --- | ------------- | --- | --- | ------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Active Directory | Active Directory Activity | In the audited environment: See Configure Domain for Monitoring Active Directory for related settings and procedures. On the computer where Netwrix Cloud Agent is installed: - If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix 1Secure to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). - To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative ToolsServices, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled. | | Active Directory | Active Directory Logons | In the audited environment: - The following policies must be set to "Success" and "Failure" for the effective domain controllers policy: - Audit Logon Events - Audit Account Logon Events - The Audit system events policy must be set to "Success" for the effective domain controllers policy. - The Advanced audit policy settings can be configured instead of basic. - The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed” or "Archive the log when full". - The following Windows Firewall inbound rules must be enabled: - Remote Event Log Management (NP-In) - Remote Event Log Management (RPC) - Remote Event Log Management (RPC-EPMAP) | | Azure AD | Azure AD Activity Azure AD Logons | No special settings are required. Remember to do the following: Configure Azure AD app as described in App Registration and Configuration in Microsoft Entra ID section. | | Computer | File Server Activity | In the audited environment - For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders: | | | | --- | --- | | List Folder / Read Data (Files only) | "Success" and "Fail" | | List Folder / Read Data (This folder, subfolders and files) | "Fail" | | Create Files / Write Data* | "Success" and "Fail" | | Create Folders / Append Data* | "Success" and "Fail" | | Write Extended Attributes* | "Success" and "Fail" | | Delete Subfolders and Files* | "Success" and "Fail" | | Delete* | "Success" and "Fail" | | Change Permissions* | "Success" and "Fail" | | Take Ownership* | "Success" and "Fail" | Select "Fail" only if you want to track failure events, it is not required for success events monitoring. If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with * and set it to "Success" (Apply onto: This folder, subfolders and files). - The following Advanced audit policy settings must be configured: - The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled. - Depending on your OS version, configure the categories as follows: | | | | --- | --- | | Windows Server 2008 | | | Object Access | | | Audit File Share | "Success" | | Audit File System | "Success" and "Failure" | | Audit Handle Manipulation | "Success" and "Failure" | | Logon/Logoff | | | Logon | "Success" | | Logoff | "Success" | | Policy Change | | | Audit Audit Policy Change | "Success" | | System | | | Security State Change | "Success" | | Windows Server 2008 R2 / Windows 7 and above | | | Object Access | | | Audit File Share | "Success" | | Audit File System | "Success" and "Failure" | | Audit Handle Manipulation | "Success" and "Failure" | | Audit Detailed file share | "Failure" | | Logon/Logoff | | | Logon | "Success" | | Logoff | "Success" | | Policy Change | | | Audit Audit Policy Change | "Success" | | System | | | Security State Change | "Success" | If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies: | | | | --- | --- | | Object Access | | | Audit File System | "Success" | | Audit Handle Manipulation | "Success" | | Audit File Share | "Success" | | Policy Change | | | Audit Audit Policy Change | "Success" | - The following legacy policies can be configured instead of advanced: - Audit object access policy must set to "Success" and "Failure". - Audit logon events policy must be set to "Success". - Audit system events policy must be set to "Success". - Audit policy change must be set to "Success". - The Security event log maximum size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”. - The Remote Registry service must be started. - The following inbound Firewall rules must be enabled: - Remote Event Log Management (NP-In)* - Remote Event Log Management (RPC)* - Remote Event Log Management (RPC-EPMAP)* - Windows Management Instrumentation (ASync-In) - Windows Management Instrumentation (DCOM-In) - Windows Management Instrumentation (WMI-In) - Network Discovery (NB-Name-In) - File and Printer Sharing (NB-Name-In) - File and Printer Sharing (Echo Request - ICMPv4-In) - File and Printer Sharing (Echo Request - ICMPv6-In) The rules marked with * are required only if you do not want to use network traffic compression for auditing. If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, make sure the following inbound connection rules are enabled: - Remote Scheduled Tasks Management (RPC) - Remote Scheduled Tasks Management (RPC-EMAP) | | SharePoint Online | SharePoint Online Activity | No special settings are required. Remember to do the following: Configure Azure AD app as described in App Registration and Configuration in Microsoft Entra ID. |