Configure IT Infrastructure for Auditing and Monitoring

You can configure your IT Infrastructure for monitoring in one of the following ways:

• Automatically when creating an organization. This is a recommended method.

• Manually. The table below lists the native audit settings that must be adjusted manually to ensure collecting comprehensive and reliable audit data. You can enable Netwrix 1Secure to continually enforce the relevant audit policies or configure them manually.

  Data source	Provided connectors	Required configuration
  Active Directory	Active Directory Activity	In the audited environment: See Domain for Monitoring Active Directory for related settings and procedures. On the computer where Netwrix Cloud Agent is installed: If you have enabled automatic log backup for the Security log of your domain controller, you can instruct to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools→Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.
  Active Directory	Active Directory Logons	In the audited environment: The following policies must be set to "Success" and "Failure" for the effective domain controllers policy: Audit Logon Events Audit Account Logon Events The Audit system events policy must be set to "Success" for the effective domain controllers policy. The Advanced audit policy settings can be configured instead of basic. The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed” or "Archive the log when full". The following Windows Firewall inbound rules must be enabled: Remote Event Log Management (NP-In) Remote Event Log Management (RPC) Remote Event Log Management (RPC-EPMAP)
  Azure AD	Azure AD Activity Azure AD Logons	No special settings are required. Remember to do the following: Configure Azure AD app as described in App Registration and Configuration in Microsoft Entra ID section.
  Computer	File Server Activity	In the audited environment For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders: List Folder / Read Data (Files only) "Success" and "Fail" List Folder / Read Data (This folder, subfolders and files) "Fail" Create Files / Write Data* "Success" and "Fail" Create Folders / Append Data* "Success" and "Fail" Write Extended Attributes* "Success" and "Fail" Delete Subfolders and Files* "Success" and "Fail" Delete* "Success" and "Fail" Change Permissions* "Success" and "Fail" Take Ownership* "Success" and "Fail" Select "Fail" only if you want to track failure events, it is not required for success events monitoring. If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with * and set it to "Success" (Apply onto: This folder, subfolders and files). The following Advanced audit policy settings must be configured: The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled. Depending on your OS version, configure the categories as follows: Windows Server 2008 Object Access Audit File Share "Success" Audit File System "Success" and "Failure" Audit Handle Manipulation "Success" and "Failure" Logon/Logoff Logon "Success" Logoff "Success" Policy Change Audit Audit Policy Change "Success" System Security State Change "Success" Windows Server 2008 R2 / Windows 7 and above Object Access Audit File Share "Success" Audit File System "Success" and "Failure" Audit Handle Manipulation "Success" and "Failure" Audit Detailed file share "Failure" Logon/Logoff Logon "Success" Logoff "Success" Policy Change Audit Audit Policy Change "Success" System Security State Change "Success" If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies: Object Access Audit File System "Success" Audit Handle Manipulation "Success" Audit File Share "Success" Policy Change Audit Audit Policy Change "Success" The following legacy policies can be configured instead of advanced: Audit object access policy must set to "Success" and "Failure". Audit logon events policy must be set to "Success". Audit system events policy must be set to "Success". Audit policy change must be set to "Success". The Security event log maximum size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”. The Remote Registry service must be started The following inbound Firewall rules must be enabled: Remote Event Log Management (NP-In)* Remote Event Log Management (RPC)* Remote Event Log Management (RPC-EPMAP)* Windows Management Instrumentation (ASync-In) Windows Management Instrumentation (DCOM-In) Windows Management Instrumentation (WMI-In) Network Discovery (NB-Name-In) File and Printer Sharing (NB-Name-In) File and Printer Sharing (Echo Request - ICMPv4-In) File and Printer Sharing (Echo Request - ICMPv6-In)
  SharePoint Online	SharePoint Online Activity	No special settings are required. Remember to do the following: Configure Azure AD app as described in App Registration and Configuration in Microsoft Entra ID