• Purpose: Resolve collision between GPO Audit Policies.

• Check the List: Generate a Disabling Auditing report.

• Apply Cyray’s Audit Policies: After reviewing and potentially overriding existing settings.

• Why Important: Make sure the Siem system collects all Audit event logs for monitoring. 

Quick Guide:

• Review Disabling Auditing report  

• Enforce Cyray’s Audit policies

Detailed Guide:

Overview

As the IT administrator responsible for managing Group Policy Objects (GPOs) within the organization, you need to disable Windows Event Auditing Policies that don’t belong to Cyray Audit selectively for specific machines while ensuring that essential security measures remain intact.

Defining Cyray’s Audit Policies in your GPO is crucial for the benefit of your organization's monitoring, your environment monitoring and certain alerts are affected by this.

Please follow the Actions section to get started or continue reading if you want to get a bigger picture about enforcing Audit Policies.

Action

Disabling Windows Event Auditing Report

ESM: Generate a report of all the GPOs implemented in your organisation that are in collision with Cyray’s Policies .

 All Reports/Mobula/Windows/Security/Disabling Windows Event Auditing

App: 

Generate a report of “Disabled Auditing” using the Mobula Application and inform your SOC Team / Platform Manager about the Policies needed to change and are listed in the report.

If the information listed in the Report is correct, please, enforce Cyray’s Audit Policies on your GPO and wait 24h to check if the changes are implemented then you can press Update Task to “Complete” stage.

If the report isn’t empty, repeat the first step.

To access the report follow the steps:

1. Go to Options menu

2. Check List

3. Disabled Auditing

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to Options menu

2. Check List

3. Disabled Auditing

4. Task Update

5. Choose the status and click save.

Objectives

• Ensure Audit events from all the organization are monitored and corresponded.

• Enhance security and compliance with regulatory requirements.

• Optimise performance and manageability of your GPO’S.

Risk

• Security Breaches:  Collision between to Audit Policies on GPO will disable Windows Event Auditing and finally will reduce visibility into system activities, potentially making it harder to detect and respond to security incidents like unauthorized access or data breaches.

• Operational Blind Spots: Event logs provide valuable insights for troubleshooting, performance monitoring, and forensic analysis. Disabling auditing limits the ability to diagnose issues and investigate incidents effectively.

Monitoring Best Practices

• Identify the Conflicting GPOs:

Determine which GPOs are conflicting and contributing to the inconsistency in Windows Event Auditing policies. Review the settings configured in each GPO to understand the conflicting configurations. Ask from your Entities to Generate a GPO RESULT report and review it.

• Prioritise Security Requirements:

Prioritise security requirements based on organizational policies, compliance mandates, and risk assessments. Cyray’s Audit GPO settings should take precedence to enforce consistent and compliant security configurations across the network.

• Resolve Conflicting Settings:

Decide which GPO settings need to be enforced or overridden to resolve the conflict regarding Windows Event Auditing policies. Consider factors such as the specificity of settings, administrative intent, and security implications.

• Use GPO Processing Order:

Leverage the order of GPO processing to resolve conflicts. Ensure that GPOs with higher precedence or enforced settings override conflicting configurations from lower-precedence GPOs.

• Communicate Changes to Stakeholders:

Communicate changes to relevant stakeholders, including IT administrators, security teams, and affected users. Ensure that stakeholders are aware of the resolution of conflicts and understand any impact on security configurations or system behaviour.

Optional Exclusions

• Host

• Application

• Host and Application

General Recommendations

1. Consolidate GPOs: If possible, consolidate the conflicting audit policies into a single GPO. This helps avoid conflicts and simplifies management. Ensure that the consolidated GPO contains the correct audit settings that align with your organization's security requirements.

2. Prioritise Security Requirements: Evaluate the security requirements of your organization and prioritise the audit policies accordingly. Determine which audit events are critical for security monitoring and compliance with regulatory requirements. Adjust the GPO settings to ensure that these critical audit events are enabled and properly configured.

3. Document Changes: Document any changes made to the GPO settings, including the rationale behind the changes and the impact on security monitoring. This documentation helps maintain clarity and transparency regarding the configuration of audit policies.

4. Regular Review and Maintenance: Schedule regular reviews of GPO settings and audit policies to ensure that they remain aligned with evolving security requirements and organizational policies. Periodically reassess the effectiveness of audit policies and make adjustments as needed.

Conclusion

This use case has been developed based on our extensive experience and feedback from our valued customers. We are committed to continuous improvement and welcome your feedback and contributions to this use case. Please share any insights or suggestions you may have to help us refine and enhance this security measure.

RuleID: 5UvOObo4BABDQNd6uMa168Q==

Active List:

Sensitive Group Policy - H0R6Mbo4BABCB6-c-2DlpKg==

/All Rules/Real-time Rules/Mobula/Windows/Audit Application Channel/MsiInstaller/Important Application Uninstalled