[GPO settings on what to log]

[ehosmer]

Something you might want to add or note about enabling "Advanced Audit Configuration" via gpo and what events at a min you should turn on. Or don't need based on what sysmon pulls.

The only thing I worry about is if you had an issue with sysmon and you had no "Advanced Audit Configuration" might be hard to find issues.

Noticed this in my testing since I did not apply my normal gpo for configuring event logging. (Did want to add anything that would conflict with LME) Was looking for normal user login events, and they were missing.

[1n6w3coza]

I have noticed a lot of the forwarded events in Chapter 1 Files > lme_wec_config.xml appear to come from here:

https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#appendix-e--annotated-baseline-subscription-event-query

I would expect using the audit settings on the same page under "Appendix A - Minimum recommended minimum audit policy" would get you close to having the relevant event logged:

https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#appendix-a---minimum-recommended-minimum-audit-policy

[duncan-ncc]

Closed due to project archive