[Feature] - Increase logging on Win - OIB - Device Security - D - Audit and Event Logging

[stugster]

Huntress (and potentially others) recommend deploying a Settings Catalog very similar to the Win - Device Security - D - Audit and Event Logging profile.

The differences are as follows:

Rather than us needing to manually disable the OIB in favour of the more enhanced Huntress policy to avoid a conflict, could the OIB be updated to reflect the Huntress settings?

[Michael-eit]

The snark in me wants to ask. how is it more enhanced? But just edit your OIB to match what you want. its not a fixed thing.

Legit though what makes it better or worse?

[incedIT]

I use Huntress and have already customised the OIB policy as follows:
Audit Security Group Management - Success --> Success and Failure
Audit Detailed File Share - Failure --> Success and Failure
Audit Other Policy Change Events - Failure --> Success and Failure

Where did you find the recommended log sizes? I found the security log recommendation here, but not the others.

[stugster]

Where did you find the recommended log sizes? I found the security log recommendation here, but not the others.

https://support.huntress.io/hc/en-us/articles/49828550456979-Enforcing-Windows-Logging-Audit-Policies-Microsoft-Intune

How are you managing that customisation of the OIB across all clients when a new version comes out?

[incedIT]

https://support.huntress.io/hc/en-us/articles/49828550456979-Enforcing-Windows-Logging-Audit-Policies-Microsoft-Intune

How are you managing that customisation of the OIB across all clients when a new version comes out?

I am refining the process but currently, if I edit an OIB policy, I append the version with a 'c' (custom) and note my changes in the description box. When a new version is released I read the changelog to consider impact on my tenants, I then check if any of the updated policies are one's I have customised, if so I work out whether I need to merge my customisations into the new policy and append with a 'c'.

Manual process which is frustrating, when I get time I intend to look at CIPP policy management which should make it easier. Most of my customisations are made for all my tenants but some are specific to tenants based on that client's requirements.

[incedIT]

I just went through the recommended audit log table here and added the following to my OIB policy too:
Audit Kerberos Authentication Service - Success and Failure
Audit Kerberos Service Ticket Operations - Success and Failure
Audit Computer Account Management - Success and Failure
Audit Distribution Group Management - Success and Failure
Audit Other Account Management Events - Success
Audit Directory Service Access - Success and Failure
Audit Directory Service Changes - Success
Audit Network Policy Server - Success and Failure
Audit Filtering Platform Connection - Failure
Audit Kernel Object - Success and Failure
Audit Filtering Platform Policy Change - Success

[SkipToTheEndpoint]

I'm going to need some time to look through these and determine what value they add more broadly, as I don't want to deploy pointless settings (e.g. "Audit Computer Account Management" is only ever going to be relevant on Servers) or start generating a ton of unnecessary noise for the majority of those not using Huntress.

I'd far rather work with the CIPP team to develop a Huntress-specific Standard that y'all can use instead of the OIB audit?

[incedIT]

I'm going to need some time to look through these and determine what value they add more broadly, as I don't want to deploy pointless settings (e.g. "Audit Computer Account Management" is only ever going to be relevant on Servers) or start generating a ton of unnecessary noise for the majority of those not using Huntress.

I'd far rather work with the CIPP team to develop a Huntress-specific Standard that y'all can use instead of the OIB audit?

Sounds great, if the Huntress recommendations don't apply to most other vendors then doesn't make sense for them to be set in this project, so either we customise OIB as per our need, or can use some CIPP standards.