48 min read

Beneath the Dashboard: What Your SIEM Actually Sees in the Windows Security Log

Advanced Audit Policy, SACLs, Windows Event Forwarding, and log anti-forensics: the native foundation every Windows SIEM assumes but few configure well.

Permalink

1. The Dashboard Was Green

The dashboard was green. Three weeks after the domain was fully compromised -- a new domain administrator, a scheduled task planted on the crown-jewel file server, lateral movement across a dozen hosts -- the Sentinel console still showed nothing but healthy endpoints and a flat event graph. The SIEM was not broken, and it was not lying. It was faithfully displaying an empty log.

How does a fully deployed, well-funded SIEM see a three-week domain takeover as silence? The post-mortem found three answers, and none of them lived in the SIEM.

First, the event that would have caught the lateral movement was never written. The administrator had, years earlier, ticked the basic Object Access setting in a Group Policy Object, exactly as an older runbook instructed. On every modern Windows host that toggle does nothing, because the SCENoApplyLegacyAuditPolicy "force" setting is enabled by default and makes the fine-grained subcategory surface authoritatively win. Microsoft states the consequence plainly: "the Group Policy audit setting is ignored in favor of the custom policy setting" [1]. The log looked configured. It was auditing almost nothing.

Second, the one object that mattered had no SACL. Auditing a specific file, key, or directory requires an audit entry -- an ACE -- in that object's System Access Control List [6]. The file server that held the crown jewels carried none, so the access that mattered generated no record even where the subcategory was on.

Third, on the way out, the attacker silenced what little remained. They ran wevtutil cl security, which clears the Security log and emits Event ID 1102, "the audit log was cleared" [7] -- MITRE ATT&CK technique T1685.005 [2]. Then, on a couple of noisy hosts, they went quieter still and terminated the Event Log service worker threads with a Phant0m-style tool, so the service reported "Running" while recording nothing [4].

Every one of those three failures sits beneath the SIEM. Not one is a detection-rule problem, a correlation problem, or a dashboard problem. They are audit-policy and forwarding problems in the plumbing the SIEM silently assumes is correct.

Ctrl + scroll to zoom
The native pipeline in three layers: production decides what is written, collection decides what survives and ships, and the SIEM shows only what reaches its table. The attacker aims at the left two layers, never the dashboard.

Your SIEM is only as good as the audit policy and forwarding config beneath it, and attackers know exactly which events to silence.

That single sentence is the argument of this article, and everything below is its proof. The expensive detection stack at the top rests on a cheap, native, badly configured foundation, and the adversary attacks the foundation, not the dashboard.

The board was never lying. It faithfully showed an empty log -- and an empty log is exactly what the attacker worked to produce.

To understand why the log was empty -- and why an attacker can empty it on purpose -- we have to go back to a 1980s trust requirement that demanded selective auditing two decades before Windows could deliver it.

2. Auditing as a Trust Requirement

Why does Windows have a Security log at all? The answer is not a product decision. It is a 1985 United States Department of Defense standard.

The Trusted Computer System Evaluation Criteria -- DoD 5200.28-STD, universally known as the "Orange Book" -- codified fundamental security requirements for systems trusted to handle sensitive data.

Requirement 4 was Accountability, and its wording reads like a specification written for a subsystem that would not exist for twenty years: "Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party... The capability to select the audit events to be recorded is necessary to minimize the expense of auditing and to allow efficient analysis. Audit data must be protected from modification and unauthorized destruction" [8].

Read that clause slowly, because the rest of this article is Windows spending forty years trying to satisfy it. Four testable demands hide inside it: auditing must be selective (you choose which events are recorded), attributable (each record ties an action to a principal), protected (the trail resists modification and destruction), and analyzable (the volume stays low enough to actually review). A system earned the C2 "Controlled Access Protection" class only if it met all four. Accountability was not a feature. It was a rating requirement.

Windows NT was architected to meet C2, and in 1993 NT 3.1 shipped the machinery [9]. At its heart sat a kernel component that decides who may touch what.

Security Reference Monitor (SRM)

The kernel-mode component of Windows that mediates access to every securable object. When code attempts an operation, the SRM performs the access check against the object's security descriptor -- and, when auditing is configured, the SRM generates the audit record. It does not write to disk itself: the Local Security Authority Subsystem (LSASS) and the Event Log service carry the record the rest of the way to the Security event log.

Every securable object in NT carries a security descriptor holding two access control lists: a DACL that grants or denies access, and a SACL that generates audit records. The distinction is the whole game.

System Access Control List (SACL)

The audit half of a security descriptor. Microsoft's still-current definition: "A system access control list (SACL) allows administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log" [6]. A DACL controls access; a SACL controls auditing. They are independent lists.

This design earned its badge. Windows NT 3.5 with Service Pack 3 received a TCSEC C2 rating in mid-1995 -- and here the story plants its first irony. The rating applied to a standalone, non-networked configuration [10]. The evaluation that validated NT's audit and accountability design explicitly excluded the network, the very surface almost every later attack would use. As one contemporaneous critique put it, a system may offer C2 auditing, but that does not mean the audit logs are useful, or that anyone reads them [11].

The exact month of the NT 3.5 C2 rating is secondary-sourced. The contemporaneous reporting says July 1995 [10]; the authoritative NCSC Evaluated Products List entry is an archival record not readily fetchable today, so treat "mid-1995" as the safe form.

NT shipped the machinery for accountability: a reference monitor, a SACL on every object, and a protected log. But the way it exposed that machinery to administrators -- as a handful of coarse switches -- would betray the exact selectivity the Orange Book demanded. To see how, watch what happens when you try to audit one registry key.

3. The Scalpel Gated Behind the Blunt Valve

You want to catch writes to one registry key. Simple, right? Watch what actually happens on Windows through Server 2003.

Auditing in that era was governed by a short list of basic categories under Security Settings\Local Policies\Audit Policy, each a single Success/Failure switch covering a broad class of behavior [12].

The exact count is worth getting right, because it dates the pain precisely. Windows 2000 exposed nine basic categories [13], and exactly two of them were new in that release: Audit account logon events, which records authentication at the validating authority such as the Kerberos ticket exchange on a domain controller [14], and Audit directory service access, which records access to an Active Directory object that carries its own SACL [15]. Subtract those two Windows 2000 additions and the earlier Windows NT family -- 3.1, 3.5, and 4.0 -- is left with the remaining seven. That nine-category surface persisted essentially unchanged through Windows XP and Server 2003.

Basic categoryPresent sinceSplits later into subcategories such as
LogonNT 3.1Logon, Logoff, Account Lockout, Special Logon
Object AccessNT 3.1File System, Registry, SAM, Detailed File Share, Other Object Access
Account ManagementNT 3.1User Account, Security Group, Computer Account Management
Privilege UseNT 3.1Sensitive and Non-Sensitive Privilege Use
Process TrackingNT 3.1Process Creation, Process Termination, RPC Events, DPAPI Activity
Policy ChangeNT 3.1Audit Policy Change, Authentication Policy Change
SystemNT 3.1Security State Change, Security System Extension, System Integrity
Account LogonWindows 2000Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations, Other Account Logon Events
Directory Service AccessWindows 2000Directory Service Access, Directory Service Changes

Read the right-hand column and the coarseness jumps out: those subcategory names did not exist yet [16]. Each row was a single switch with no dial between "off" and "all of it." Microsoft's own comparison makes the scale concrete: "the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings" [17]. One blunt switch stood in for what later became a panel of precise ones.

Now return to that one registry key. To audit it you enable the Object Access category -- the global master valve. Every audited object access on the machine floods in with it. On a busy server, ordinary registry and file churn buries your one relevant event among tens of thousands. The Security log is a fixed-size ring that overwrites the oldest events when full [18], so on a busy domain controller it can roll over quickly, destroying earlier evidence. Performance suffers. So the administrator does the rational thing and turns Object Access back off -- and now the key is completely unaudited.

The tragedy is that the object-level precision existed. It just could not be reached affordably.

Audit ACE

An access control entry inside a SACL, essentially the tuple {trustee SID, access mask, success or failure flags}. It is the object-level scalpel: it can say "record when this principal writes to this key" [6]. But an audit ACE fires only if the governing Object Access category is also enabled -- the scalpel is useless while the valve is shut.

So the SACL is a perfect scalpel gated behind a blunt, all-or-nothing valve. Turn the valve on and you drown; turn it off and the scalpel cuts nothing. Grade this against the Orange Book: it fails the selective clause operationally. C2 demanded selectivity precisely "to minimize the expense of auditing" [8], and the coarse-category model made selectivity so expensive that administrators opted out entirely. They turned auditing down -- the exact opposite of what the standard asked for.

The problem, then, was never the SACL. It was the coarse category gating it. What if each of those categories could be subdivided, so an administrator could enable exactly the behavior they cared about -- "the logon events I want" without "every logoff, every IPsec negotiation, every handle" -- and pay only for that? In Windows Vista, Microsoft did exactly that. And then it did something subtler, and more dangerous.

4. Subcategories, and a Trap Enabled by Default

In Windows Vista and Server 2008, Microsoft cut the coarse categories into pieces. The auditable set "expanded from nine to 53" fine-grained subcategories, grouped under about ten categories, so that for the first time an administrator could audit "Logon" without "Logoff," or "Process Creation" without the rest of Detailed Tracking [13]. The stated rationale is exactly the Orange Book's selective clause, arriving twenty years late: the subcategories let you "select only the behaviors that you want to monitor" and exclude those that "create an excessive number of log entries" [16].

There is a release nuance worth pinning down, because getting it wrong misdates the whole capability. The subcategories shipped in Vista and Server 2008, but at first they were not integrated with Group Policy and "could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool." The centralized Security Settings\Advanced Audit Policy Configuration node in Group Policy arrived one release later: "Starting in Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy" [13].

Advanced Audit Policy subcategory

One of the fine-grained audit switches -- Microsoft describes "over 40," and the exact total ran to 53 at introduction and grew across releases -- that superseded the coarse basic categories [1, 13]. Each subcategory can be set to audit Success, Failure, both, or neither, so policy volume becomes tunable downward to only the behaviors that matter [16].

That was the breakthrough. The subtler move -- the one that produced the empty log in our post-mortem -- was how Microsoft made the two surfaces coexist. If a host has both a legacy basic policy and a modern subcategory policy, which wins? Microsoft answered with a precedence switch, and then turned it on for everyone.

SCENoApplyLegacyAuditPolicy (the force setting)

The registry value behind the security option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." When enabled -- the effective default on client, member server, and domain controller -- the subcategory surface authoritatively wins and legacy category policy is not applied [1]. It "will override audit policy settings under Security Settings\Local Policies\Audit Policy" [13].

The intent was benign: stop the two surfaces from silently fighting by declaring a deterministic winner. The side effect is a footgun. On a default modern host, an administrator who sets a basic category -- from muscle memory, a stale runbook, or an inherited GPO -- watches it do absolutely nothing.

"...the Group Policy audit setting is ignored in favor of the custom policy setting." -- Microsoft, describing what happens to a legacy audit toggle once the force setting is in effect [1]

The intended audit never happens, no error is raised, and the host looks configured while auditing whatever the subcategories say -- which, if nobody set them, is nothing. This is a misconfiguration that is invisible by design.

Ctrl + scroll to zoom
Why a basic audit toggle silently no-ops on a modern host: with the force setting enabled by default, the subcategory surface is authoritative and the legacy toggle is ignored.

Here is the same logic as a tiny resolver you can run. It models the exact conditions of the breach: a basic toggle set, the force setting on, and nothing configured at the subcategory level.

JavaScript The force-setting no-op, in miniature
// How Windows resolves effective audit policy (simplified)
const forceSetting = "Enabled";              // SCENoApplyLegacyAuditPolicy, default on
const basicPolicy = { "Object Access": "Success" }; // what the admin ticked in GPO
const subcategoryPolicy = {};                // what was set at subcategory level: nothing

function effectiveAuditPolicy(force, basic, subcats) {
// When the force setting is on, the subcategory surface wins outright.
return force === "Enabled" ? subcats : basic;
}

const effective = effectiveAuditPolicy(forceSetting, basicPolicy, subcategoryPolicy);
const auditing = Object.keys(effective);

console.log("Admin configured :", Object.keys(basicPolicy).join(", "));
console.log("Host is auditing :", auditing.length ? auditing.join(", ") : "nothing");
// Host is auditing : nothing

Press Run to execute.

Because both surfaces can be present, mixing them without understanding the precedence is unsafe: Microsoft warns it "can cause unexpected results," so the supported guidance collapses to "pick advanced, and force it" [17, 13]. You configure subcategories with auditpol.exe, an exported GPO CSV (audit.csv), or secpol.msc, and -- this is the load-bearing habit -- you verify what is actually in effect with auditpol /get /category:*, not the GPO you believe you set [19].

The Vista release also rebuilt the event log on Event Tracing for Windows, moving the Security channel onto the Microsoft-Windows-Security-Auditing provider, GUID {54849625-5478-4994-A5BA-3E3B0328C30D}, and renumbering the event IDs wholesale [20]. That timeline is worth seeing whole.

Ctrl + scroll to zoom
The generational arc: a 1985 trust requirement, answered one failure at a time, from the Orange Book to cloud-native collection.

The log can finally be selective. But selective about what? To read it -- or to notice its silence -- you have to know which event ID rides which subcategory, and which ones an attacker prays you never enabled.

5. Eight Numbers That Read a Breach

Learn to read eight event IDs -- and to name the subcategory each one rides -- and you can read a Windows intrusion end to end. The Security channel, backed by the Microsoft-Windows-Security-Auditing provider [20], carries hundreds of event types, but a small set does most of the detective work. Here is the load-bearing set, each anchored to the subcategory that must be enabled for it to exist and to the adversary behavior it exposes.

Event IDWhat it recordsGating subcategoryWhat it reveals to a hunter
4624Successful logonLogon/Logoff, LogonSession start; the logon type separates interactive from network (type 3) and remote-interactive (type 10) [21]
4625Failed logonLogon/Logoff, LogonPassword spraying and brute force
4672Special privileges assigned at logonLogon/Logoff, Special LogonAn administrator-equivalent session (privileges such as SeDebugPrivilege)
4688New process created, with command lineDetailed Tracking, Process CreationExecution, living-off-the-land binaries, encoded command lines
4698Scheduled task createdObject Access, Other Object Access EventsPersistence and lateral movement
4720User account createdAccount Management, User Account ManagementA rogue account being stood up
4768Kerberos authentication ticket requestedAccount Logon, Kerberos Authentication ServiceInitial domain authentication, recorded on the domain controller
4769Kerberos service ticket requestedAccount Logon, Kerberos Service Ticket OperationsService access and Kerberoasting, recorded on the domain controller

The gating-subcategory column is the point. Community reference works such as Randy Franklin Smith's Windows Security Log Encyclopedia index every event by exactly this subcategory relationship [22], and Microsoft's own page for 4688 states its subcategory outright: Audit Process Creation [20]. The two Kerberos events live on the domain controller, under Account Logon -- the category that records authentication at the validating authority [14]. The mechanics of the AS-REQ and TGS-REQ exchange are covered in the companion Kerberos article; here they matter only as "the DC-side record that a ticket was requested."

Ctrl + scroll to zoom
The two-switch gate: an audit record exists only if the subcategory is enabled and, for object access, a matching SACL ACE is present. Miss either switch and the SRM generates nothing.

For object-access events like 4698, that diagram hides the single most common support case in Windows auditing: two independent switches must both be set. The subcategory is the policy-level gate; the SACL ACE is the object-level match. Set one without the other and you get silence.

JavaScript Why 'I set a SACL and saw nothing' happens
// An object-access record is emitted only when BOTH switches are set.
function emitted(aceMatches, subcategoryEnabled) {
return aceMatches && subcategoryEnabled;
}

const cases = [
[false, false], // nothing set
[true,  false], // SACL placed, subcategory off  -> the classic silent failure
[false, true],  // subcategory on, no SACL        -> nothing to match
[true,  true],  // both set                        -> the only case that logs
];

for (const [ace, sub] of cases) {
console.log("ACE match:", ace, "| subcategory on:", sub, "=> logged:", emitted(ace, sub));
}
// Only the final combination prints logged: true

Press Run to execute.

Placing the SACL, end to end

The two-switch rule is where most "I enabled auditing and saw nothing" tickets are born, so it is worth showing the object-level switch concretely, not just naming it. There are three ways to place an audit ACE, and one way to read it back off disk.

Per object, in PowerShell. Read the descriptor with Get-Acl -Audit, add a typed audit rule, and write it back with Set-Acl. For a file or folder the rule is a FileSystemAuditRule; for a registry key it is a RegistryAuditRule [24, 25, 26].

# Audit successful and failed writes/deletes on a crown-jewel folder
$path = 'C:\CrownJewels'
$acl  = Get-Acl -Path $path -Audit
$rule = New-Object System.Security.AccessControl.FileSystemAuditRule(
          'Everyone', 'Write,Delete',
          'ContainerInherit,ObjectInherit', 'None', 'Success,Failure')
$acl.AddAuditRule($rule)
Set-Acl -Path $path -AclObject $acl

# Read the SACL back as SDDL to confirm the audit ACE landed
(Get-Acl -Path $path -Audit | Format-List -Property PSPath, Sddl)

Host-global, with auditpol. To audit a whole type of object without touching each one, set a global resource SACL: auditpol /resourceSACL /set /type:File /user:Everyone /success /failure /access:FRFW. The /type is File or Key, and the access mask uses the file codes FR, FW, FA, FX (or the key codes KR, KW, KA, KX); placing one requires the Manage auditing and security log right, SeSecurityPrivilege [27].

In the GUI. Every securable object exposes the same list under Properties, Security, Advanced, Auditing. Active Directory objects are audited the same way -- you "set a SACL on an Active Directory object by using the Security tab in that object's Properties dialog box" [15].

On disk, it is just SDDL. Whichever tool you use, the SACL is serialized as the S: section of the object's Security Descriptor Definition Language string, where audit entries carry the ACE type AU [6]. Reading the SDDL back is the fastest way to confirm an audit ACE is actually present.

And then the second switch, which no amount of ACE placement can substitute for: a file SACL emits nothing unless Object Access, Audit File System is enabled, and a registry SACL needs Audit Registry [16]. Place the ACE and name the subcategory -- both, or silence.

SACL placement in one breath: per object, Get-Acl -Audit then a FileSystemAuditRule or RegistryAuditRule then Set-Acl [24, 25, 26]; host-global, auditpol /resourceSACL /set /type:File or /type:Key [27]; by hand, the Auditing tab; on disk, the SDDL S: section with AU ACEs [6].

One more piece of literacy: mixed-era estates and old detection rules still speak in the pre-Vista 5xx numbering. The Vista rebuild renumbered events by a rough +4096 heuristic, but the heuristic has documented exceptions, and one of them is the most important event in this article.

Legacy ID (pre-Vista)Current IDEventHow it maps
528 / 5404624Successful logon528 plus 4096, with network-logon 540 folded in [7, 22]
6284724Account password resetThe +4096 heuristic [7]
6104706New domain trustThe +4096 heuristic [7]
6124719System audit policy changedException to +4096 [7]
5171102The audit log was clearedException to +4096 [7]
The +4096 rule is only a heuristic. The log-cleared event became 1102, not 517 plus 4096. Microsoft publishes the authoritative legacy-to-current mapping as "Appendix L: Events to Monitor," which lists 4624 against its legacy 528 and 540 in the Low-criticality section [7]; the community encyclopedia corroborates the same mapping [22]. PowerShell script-block logging (Event 4104) and module logging (4103) land in different channels depending on the host: Windows PowerShell 5.1 versus PowerShell 7 log to distinct operational channels, so keep them straight when hunting [5].

Notice what every row assumes. These events exist only if policy wrote them, and they help an investigator only if they survived long enough to be read. An event correctly written to Security.evtx on a host the attacker owns is one wevtutil cl security away from gone. Which raises the question the industry keeps mis-answering: how does the log actually reach the SIEM, and can it get there before someone deletes it?

6. Do Not Protect the Log. Move It.

Here is the move that beats every on-host anti-forensic technique at once, and it sounds backwards: do not try to protect the log on the box. Get it off the box. The moment a copy of an event lives on a separate machine, clearing the local Security.evtx is no longer a way to destroy evidence -- it is only a way to announce that you tried.

Windows has shipped the machinery for this since Vista and Server 2008, agentlessly and for free.

Windows Event Forwarding (WEF)

The native mechanism by which a Windows host forwards selected events to a collector over WinRM, with no third-party agent installed. Hosts are pointed at a collector and push their chosen events, or a collector pulls from a named list of sources [28].

Windows Event Collector (Wecsvc)

The service, driven by the wecutil utility, that defines subscriptions and receives forwarded events. It "enables you to create and manage subscriptions to events that are forwarded from remote computers," which "must support the WS-Management protocol" [29].

Transport is WinRM (HTTP 5985 or HTTPS 5986), authenticated with Kerberos [30]. There are two subscription models, and the difference decides how the design scales.

Ctrl + scroll to zoom
The two WEF subscription models over WinRM and Kerberos: source-initiated push, where hosts find the collector via Group Policy, and collector-initiated pull, where the collector holds an explicit source list.

In source-initiated mode, the collector defines a subscription without naming any sources; hosts are told where to report by the SubscriptionManager Group Policy setting and push to it [28]. The collector holds no per-source list, so configuration scales to the whole fleet from one place. In collector-initiated mode, the collector holds an explicit list and pulls from each host, which must grant read access, typically via the Event Log Readers group.

Forwarded records land in the collector's ForwardedEvents channel, and delivery is tunable through wecutil: the Normal, Minimize-Latency, and Minimize-Bandwidth profiles set the delivery mode, batch size, heartbeat interval, and maximum latency behind the switches /dm, /dmi, /hi, and /dmlt [29].

Standing up source-initiated WEF is mostly plumbing: run winrm qc on the collector, push the SubscriptionManager GPO, and grant the Network Service account read access to the Security log so it can forward it. Deployments usually fail in that plumbing, not in the concept [28, 31]. WEF scales by how you store what the collector receives: Microsoft's guidance routes 0 to 5,000 events per second to a SQL or SEM (Security Event Manager, the era's term for what is now a SIEM) backend, 5,000 to 50,000 to a SEM, and 50,000 or more to Hadoop, HDInsight, or a data lake, with MapReduce ingress measured in hundreds of terabytes per day [32]. Note the trade buried in the delivery profiles: Minimize-Bandwidth deliberately defers forwarding to batch it, which widens the window between a local write and its off-box copy [29].

WEF is a deliberately passive system. Microsoft is explicit: it "can't change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events" [32]. It forwards only what audit policy already wrote, and only while the Event Log service is still recording. That constraint matters later: WEF cannot resurrect an event a never-enabled subcategory failed to produce.

In 2015, Jessica Payne of Microsoft reframed this obscure plumbing as a first-class security control for anyone, SIEM or not. Her argument is compact: WEF is free and built-in, configured through Group Policy, uses Windows Remote Management with Kerberos to resist man-in-the-middle interference, and -- the load-bearing point -- it gets the evidence off the host before anyone can tamper with it [31].

"'Push' log mode -- less attack surface than adding a monitoring agent or account to a widely privileged group." -- Jessica Payne, on why WEF is a security control, not just plumbing [31]

There is a second, quieter gift in the design. The collector keeps a per-source bookmark and last-heartbeat time; an idle source still sends periodic heartbeats to signal it is alive [32]. That heartbeat is what converts a silenced host from an absence of events -- which looks exactly like a quiet night -- into a detectable silence: the collector notices the beat stopped.

Off-box durability changes the adversary's problem from "delete the evidence" to "delete the evidence everywhere, before it ships, without going quiet." But most organizations never read ForwardedEvents directly. They pay a SIEM to read it for them. So what, precisely, does that SIEM ingest?

7. What the SIEM Actually Ingests

"What your SIEM actually sees" is not a promise. It is a configuration file, and there is one on every hop.

For Microsoft Sentinel, the modern path is the Azure Monitor Agent governed by Data Collection Rules. You deploy the agent to each host -- Azure-native, or Arc-connected for on-premises and hybrid -- and attach one or more rules that decide which Security events are collected and where they land, namely the SecurityEvent and WindowsEvent tables [34, 35]. SecurityEvent is the curated Windows-security table most detections query; WindowsEvent is the more generic landing table. A DCR can route to either, so knowing which one your rules read is part of knowing what the SIEM sees.

Data Collection Rule (DCR)

The cloud-authored rule that tells the Azure Monitor Agent what to collect, how to process it, and where to send it. Critically, a DCR can "apply a transformation to filter or modify incoming data before it's sent to a destination" [36] -- so the DCR is the ETL filter that decides which events survive ingestion.

That filtering power is also a hazard: a DCR tuned too tightly is a silent-drop point above a host that logged and even forwarded correctly. The predecessor agent is already gone -- the Log Analytics agent, also called MMA or OMS, was retired on 31 August 2024 [37, 38], with its cloud ingestion able to stop after 2 March 2026 [37]. AMA plus DCRs is the mandated replacement.

Splunk's path is parallel. The Universal Forwarder reads the Security channel through the [WinEventLog://Security] input in inputs.conf, filtering by EventCode whitelist or blacklist [39]. It can read a host directly, or it can be pointed at a WEF collector's ForwardedEvents channel -- which means WEF from the previous section composes beneath the forwarder rather than competing with it. One hardened collector, one forwarder reading it.

MethodTransport and authFilter locus (silent-drop risk)Cloud/hybrid fitOff-box value
WEF source-initiatedWinRM / KerberosSubscription XML queryOn-prem, per-estateHigh
WEF collector-initiatedWinRM / KerberosSubscription XML queryOn-prem, per-estateHigh
AMA + DCR to SentinelHTTPS to Azure (Arc for hybrid)DCR transformNative via ArcHigh, cloud copy
Splunk UF [WinEventLog://Security]Splunk to indexersEventCode whitelist/blacklistGoodHigh, indexer copy

Across all four methods, one constraint now dominates the design: money. Azure Monitor Logs bills for the volume you ingest per gigabyte, and Microsoft calls ingestion and retention "the most significant charges for most Azure Monitor implementations" [40]. Splunk's license economics push the same way. So teams filter hard at the DCR or the input stanza -- which quietly revives the coarse era's dilemma one layer up. Where the 1990s admin turned auditing down to save disk and performance, the 2020s engineer filters ingestion to save budget, and both can drop the one event that mattered.

The collection surface is itself a moving target: the Azure portal for Microsoft Sentinel is announced to consolidate into the unified Microsoft Defender portal by 2027 [34]. A working pipeline can break on a platform migration nobody scheduled around.

Stack the filters and the thesis becomes arithmetic. Audit policy decides what is written. The SACL decides whether object access is written. The WEF subscription decides what forwards. The DCR or EventCode list decides what ingests. Each layer is a valve, and every valve can silently shut on the event you needed. Not one of them lives in the SIEM.

There is one more source of confusion to clear before we turn to the attacker, because a lot of teams believe they have already solved this problem with a different tool. "We run Sysmon," they say, "so we do not need the Security log." Both halves of that sentence misread the stack.

8. One Producer Among Several

Take the claim apart. "We run Sysmon, so we do not need the Security log" assumes Sysmon is a replacement for native auditing. It is not. And the flip side -- "the Security log is separate from Sysmon and EDR, a different kind of thing" -- is also wrong, because at the plumbing level they are the same kind of thing. Both halves of the myth dissolve once you separate four axes: who produces the telemetry, which channel it lands in, what configuration surface controls it, and what detection intent it serves.

Event Tracing for Windows (ETW)

The high-speed, general-purpose tracing facility built into Windows since Windows 2000. The Windows Event Log, including the Security channel, is delivered over ETW's unified provider model [41]. So "the Security log" is not a peer of ETW -- it is one consumer riding on it.

AxisNative Security audit (this article)SysmonMDE / EDR
ProducerMicrosoft-Windows-Security-Auditing via LSASS and the SRMA separately installed driver and serviceKernel callbacks plus EtwTi
ChannelSecurity.evtx, the 46xx event IDsMicrosoft-Windows-Sysmon/OperationalCloud Device* tables
Config surfaceGPO, auditpol, CSV, and SACLsAn XML configuration fileCloud policy
Detection intentPolicy and accountability loggingHigh-fidelity endpoint telemetryBehavioral cloud detection
RelationshipThe layer the others quietly assumeParallel, not a successorA different substrate entirely

Read down the columns and the myth collapses in both directions. Sysmon is a different producer writing to a different channel with a different configuration surface -- so it cannot be a drop-in replacement for the accountability record that regulators, incident responders, and domain-controller forensics all expect in Security.evtx. But it is also not architecturally separate: Sysmon, EDR, and native audit all ride the ETW-based Windows plumbing [41]. The honest framing the whole article rests on is that native audit is a different producer, channel, configuration surface, and detection intent on the same substrate -- not a separate universe.

So the native Security log is one deliberately configured producer among several. That word -- configured -- is the whole vulnerability. Sysmon can be uninstalled and EDR can be tampered with, but native auditing is uniquely exposed because it is assembled from a dozen independent switches that ship, by default, mostly off. Anything you configure, an adversary can misconfigure for you, or silence outright. So flip sides: what does an attacker who now owns the box turn off, and in what order?

9. What Attackers Silence, and in What Order

You own the box. The SIEM is watching. You want the log to go dark without tripping an alert. The techniques form a ladder, and each rung exists to erase the tell the rung below it leaves. All three sit under MITRE ATT&CK's parent technique T1685, "Disable or Modify Tools," in the tactic TA0112, "Defense Impairment" -- the tactic for actions that "degrade, disable, or undermine the effectiveness and trustworthiness of security controls and monitoring mechanisms" [42, 43].

A1, clear the whole log. With administrator rights, wevtutil cl security, Remove-EventLog -LogName Security, or direct deletion of the .evtx files under C:\Windows\System32\winevt\logs wipes the local trail in one stroke. This is T1685.005, "Clear Windows Event Logs" -- the technique formerly tracked as T1070.001, whose page now meta-refreshes to the current ID [2, 44]. It is also the loudest option. Clearing the Security log itself emits Event ID 1102, "the audit log was cleared" [7], a single high-signal event every SIEM alerts on. And if WEF already forwarded those records, the off-box copy survives untouched. Destructive, noisy, and often too late.

A2, disable or suppress before the write. Quieter attackers turn the tap off upstream: auditpol /clear /y to wipe policy; Set-Service -Name EventLog -Status Stopped (or Stop-Service) to stop the running service immediately, while sc config eventlog start=disabled only sets its startup type to Disabled, which keeps it from restarting at the next boot but leaves the running service alive until a manual stop; or -- notably possible without administrator privileges -- setting the Autologger key HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security Start value to 0 so the Security trace session never starts at the next boot.

This is T1685.001, "Disable or Modify Windows Event Log" (formerly T1562.002) [3]. No 1102, because nothing is cleared. But it still leaves tells: a stopped or disabled service is directly observable, an auditpol change can emit Event ID 4719, and a reboot-persistent Autologger edit is catchable by configuration baselining.

A3, terminate the log threads and leave the service "Running." The current apex of stealth exploits an implementation detail: the Event Log service runs as threads inside a shared svchost.exe. Windows co-hosts many services inside shared svchost.exe processes to save resources, which is exactly why terminating one service's threads can leave the enclosing process, and its reported service state, looking perfectly healthy. A tool like Phant0m locates that service and terminates only its worker threads, leaving the service object intact [4].

"While the Event Log service appears to be running in the system... it does not actually run... and the system does not collect logs." -- the Phant0m project, describing thread-termination suppression [4]

The result defeats the naive health check outright: no 1102, no stopped-service state, no 4719. services.msc shows EventLog "Running." Here is that false comfort in code.

JavaScript The health check Phant0m defeats
// A naive monitor trusts the service state alone.
const eventLog = { serviceState: "Running", threadsAlive: false };

function naiveHealthy(s) {
return s.serviceState === "Running";                    // what most checks test
}
function trulyHealthy(s) {
return s.serviceState === "Running" && s.threadsAlive;  // what is actually required
}

console.log("Naive check says healthy:", naiveHealthy(eventLog)); // true  -> false comfort
console.log("Actually recording      :", trulyHealthy(eventLog)); // false -> silenced

Press Run to execute.

Ctrl + scroll to zoom
Where each rung of the adversary ladder hits the pipeline. Clearing erases the local copy after the write; disabling and thread-termination block the write. Only the off-box collector, and its heartbeat, survives all three.
TechniqueIDPre or post writePrimary tell it leavesBeaten by
Clear the logT1685.005Post-writeEvent ID 1102; the off-box copy survivesOff-box WEF
Disable or suppressT1685.001Pre-writeService state, possible 4719, config driftConfig baselining plus WEF heartbeat
Phant0m thread-terminationT1685.001Pre-writeOnly the silence itselfThe collector noticing the silence

This ladder, and the broader family of event-pipeline tampering, was systematized in Palantir's 2018 study, which MITRE cites on the parent technique [45, 42]. And it is precisely here that many teams reach for the wrong shield.

Protected Event Logging

A Windows 10 feature that lets participating applications encrypt sensitive data written to the event log, using the IETF Cryptographic Message Syntax and public-key cryptography, so that a captured script block does not hand an attacker plaintext credentials [5]. It is a confidentiality control for log contents.

Every rung erases the previous rung's tell -- except one signal it cannot reach. The off-box collector still notices that the host went quiet, because the heartbeat stopped. Which forces the honest question that governs the rest of this article: even configured perfectly and forwarded instantly, what can this subsystem never see?

10. Auditing Is Observation, Not Enforcement

Suppose you win. Every useful subcategory is enabled, the crown-jewel objects carry precise SACLs, the force setting is confirmed, and a hardened collector drains every host in near real time. There is still a floor beneath which this subsystem cannot see, and it is worth stating precisely, because it is the formal version of the thesis.

The SIEM's ground truth is not "what happened on the host." It is an intersection of three independently fallible sets.

SIEM ground truth  =  written(A)survived(C)shipped(B)\text{SIEM ground truth} \;=\; \mathrm{written}(A) \,\cap\, \mathrm{survived}(C) \,\cap\, \mathrm{shipped}(B)

Only what audit policy wrote (layer A), only what survived the attacker (layer C), and only what forwarding shipped (layer B). If policy never wrote an event -- no enabled subcategory, or a SACL with no gating subcategory -- then no collector can recover it. Microsoft says as much of WEF: it is passive and "only queries event channels for existing events" [32]. The ceiling on detection is set at layer A, beneath the SIEM's line of sight.

The SIEM does not see reality. It sees an intersection: what was written, what survived, and what shipped. Every term in that intersection is a configuration decision made below the dashboard -- so the detection ceiling is set by the audit policy and forwarding config, not by the analytics on top of them.

Three hard limits live inside that intersection.

Some actions are SACL-silent by construction. You cannot place an audit ACE on an access that never happens. Directory-replication attacks such as DCSync and DCShadow abuse the replication protocol rather than opening an audited object: DCSync reads secrets over it [46], while DCShadow injects attacker-controlled changes through it from a rogue domain controller [47]. Because neither touches an audited file, key, or object, no SACL placement closes the gap -- a different sensor, such as domain-controller directory-service auditing, is required to see them at all.

DCSync and DCShadow are the canonical SACL-silent operations: DCSync reads secrets and DCShadow injects changes, but both abuse replication rather than opening a file or key, so object auditing sees nothing. They are covered in the companion article on directory replication attacks; here they stand for a whole class of behavior that native object auditing structurally cannot observe.

There is a provable window between write and forward. WEF is asynchronous and batched. The wecutil delivery profiles tune that window -- Minimize-Latency shrinks it, Minimize-Bandwidth deliberately widens it, and /dmlt sets it explicitly [29] -- but they never drive it to zero. So a window in which an event is written locally but not yet shipped provably exists. Near-real-time streaming narrows it; nothing native eliminates it.

The local log has no native tamper-evidence. A .evtx file carries no cryptographic chaining and no signature, and a SYSTEM- or kernel-privileged adversary owns the host. Local integrity therefore cannot be guaranteed against such an adversary; forwarding does not make the local copy tamper-proof, it merely relocates the authoritative one. That is the honest statement of what off-box collection buys and what it does not.

The gap is not a mystery of computer science. Tamper-evident logging is a solved problem. In 1999, Bruce Schneier and John Kelsey published a construction for forward-secure, hash-chained audit logs, in which each entry authenticates its predecessor and the signing key evolves through a one-way function -- so that an attacker who compromises the host at time T cannot undetectably alter any entry written before T, even knowing the current key [48]. The mathematics has existed for a quarter century. Native Windows implements none of it on the live Security.evtx. Protected Event Logging supplies confidentiality, not this integrity [5].

There is thus a real, measurable distance between what is provably achievable -- forward-secure, tamper-evident logging -- and what Windows natively provides, which is none of it. That distance is exactly where the field's open problems live.

11. Where the Foundation Is Still Soft

These open problems are not academic curiosities. Each one is a concrete reason your next breach might be invisible on a fully deployed SIEM.

Native tamper-evidence at the source. The live Security.evtx still has no forward-secure integrity, so a host-privileged adversary can clear, suppress, or terminate its threads and the local record cannot prove it was altered. The cryptographic construction that would fix this has existed since 1999 [48], and as Section 10 established, Protected Event Logging deliberately does not attempt it. The best available answer remains operational: forward off-box to an append-only, immutable collector. Strong, but not source-cryptographic.

Closing the async gap. To defeat a perfect act-then-silence race, an audit record would have to be durably off-box before the audited operation's effect is durable. Minimize-Latency delivery and a small /dmlt shrink the window toward the transport round-trip [29], and near-real-time streaming narrows it further, but synchronous pre-effect commit at fleet scale trades directly against host performance and remains impractical. The window shrinks; it does not close.

Detecting suppression reliably. Because a thread-termination tool defeats the "is the service running?" check, the only durable signal is the absence of expected events -- the WEC per-source heartbeat and bookmark make that silence visible [32]. Turning "unexpected silence" into a timely, low-false-positive alert, across hosts with wildly different normal activity, is an unsolved engineering problem, not a solved product feature.

Log everything, or log what matters, under real budgets. The ingestion-cost dilemma from Section 7 is itself an open problem: because every SIEM bills by volume, cost, not disk, now drives filtering. The current best answer is a prioritized baseline rather than a maximal one.

Platform churn as a hazard in its own right. The collection surface keeps moving underneath working pipelines. The Log Analytics agent was retired on 31 August 2024, with ingestion able to stop after 2 March 2026 [37], and the Sentinel Azure portal is consolidating into the unified Defender portal [34]. Each migration is an opportunity for a correctly designed pipeline to silently stop delivering.

Each of these marks a place where the foundation is still soft -- where the honest answer is "we manage the risk operationally," not "we have solved it." Which brings us back to the only question that matters once the theory is on the table: on Monday morning, with the tools that actually ship, what do you do?

12. The Checklist That Turns the Board Red Before the Breach

Everything so far was diagnosis. Here is the treatment -- the sequence that would have caught our opening post-mortem while there was still a log to catch it in. Work top to bottom; each step assumes the one above it.

  1. Confirm the force setting, and verify effective policy. Assume SCENoApplyLegacyAuditPolicy is on. Then run auditpol /get /category:* on the host and read what is actually in effect -- not the GPO you believe you set [19, 1].
  2. Deploy a subcategory baseline, not a basic one. Start from Microsoft's System Audit Policy recommendations and the 2024 multinational logging guidance, then tune to your threat model [50, 49].
  3. Turn on Process Creation with the command line, and PowerShell script-block logging. A 4688 without arguments is nearly blind; script-block logging (Event 4104) captures what ran [20, 5].
  4. Place targeted SACLs on crown-jewel objects -- and remember the second switch. Use Get-Acl -Audit with a FileSystemAuditRule or RegistryAuditRule and Set-Acl, or auditpol /resourceSACL, or the Auditing tab -- then confirm the gating Object Access subcategory is enabled, because the ACE does nothing without it [24, 25, 27, 6].
  5. Forward off-box. Stand up a source-initiated WEF collector and forward ForwardedEvents to the SIEM, so clearing a local log is too late [28, 31].
  6. Alert on the tells, and on silence. Fire on Event ID 1102 (log cleared) and 4719 (audit policy changed), and monitor WEC heartbeats for hosts that go quiet -- the one signal that beats a thread-termination tool [32].
  7. Harden the collector. Make it append-only or immutable; an unprotected collector is a single point of failure that erases your off-box guarantee.
  8. Do not lean on Protected Event Logging for tamper resistance. It is confidentiality only [5].

Step 2 hides a decision most teams make by accident: which baseline. The frameworks genuinely disagree, and the disagreement lands squarely on Object Access. Microsoft's own Security Compliance baseline leaves Object Access with no recommendation at all -- it is "intended only to be a starting baseline guide," and each organization must decide for itself [50].

The DoD STIG for Windows Server 2022 (V2R8) goes the other way: it mandates Object Access subcategories at Success and Failure where Microsoft is silent, and it requires the force setting itself, rule WN22-SO-000050 [51]. CIS agrees with the stricter posture -- its Windows Server 2022 Benchmark v2.0.0 sets Audit Removable Storage to "Success and Failure" [52]. That single Object Access decision is the difference between a quiet log and a much larger, costlier one.

A defensible starting set for step 2 looks like this -- adjust volumes to your estate, and note the column where the frameworks part ways.

SubcategoryA defensible settingBaseline stance (SCM / CIS / STIG)What it catches
Process Creation (with command line)SuccessBroadly recommendedExecution and encoded commands (4688)
LogonSuccess and FailureBroadly agreedLateral movement and spraying (4624, 4625)
Special LogonSuccessBroadly agreedPrivileged sessions (4672)
User Account ManagementSuccess and FailureBroadly agreedRogue account creation (4720)
Audit Policy ChangeSuccess and FailureBroadly agreedPolicy tampering (4719)
Removable Storage (Object Access)Success and FailureSCM: none; CIS and STIG: Success and FailureDevice-based exfiltration and use
Other Object Access EventsSuccessSCM: none; STIG: Success and FailureScheduled-task persistence (4698)
Verify your effective audit policy right now

Open an elevated prompt and run auditpol /get /category:*. Every subcategory reports one of "No Auditing," "Success," "Failure," or "Success and Failure." If a category you configured through basic Group Policy shows "No Auditing," you have just watched the force setting override your legacy toggle in real time [19, 1]. Fix it at the subcategory level, re-run, and confirm the change before you trust it.

Return to the green dashboard. The subcategory that was never enabled, the SACL that was never set, the log that was cleared, and the Event Log threads that were quietly killed -- every one of those failures lived beneath the SIEM's line of sight, in the audit policy and forwarding config the dashboard silently assumed. That is the thesis, now with evidence: your SIEM is only as good as the audit policy and forwarding beneath it, and the attacker went straight for the foundation.

Every step above is work you do below the dashboard. That is not a coincidence. It is the entire lesson: the board turns red before the breach only if the plumbing beneath it was built to make it.

13. Misconceptions, Cleared Up

Frequently asked questions

If I turn on Object Access auditing, does it audit everything?

No. The Object Access subcategory is only the gate. To record access to a specific file, key, or directory you also need a SACL -- an audit ACE -- on that object. Place it with Get-Acl -Audit and Set-Acl, or with auditpol /resourceSACL, then enable the gating subcategory. Both switches must be set, or you get silence [6, 27].

Can I just configure both basic and advanced audit policy?

Not safely. On a modern host the default-on force setting makes the advanced subcategory surface win, so basic toggles are ignored, and Microsoft warns that mixing the two "can cause unexpected results." Pick advanced policy and force it [1, 17].

Does Protected Event Logging protect my logs from tampering?

No. It is a confidentiality control: it encrypts sensitive log contents with CMS and public-key cryptography so a captured script block does not leak credentials. It does not stop clearing, disabling, or thread-termination [5].

Isn't the log-clearing technique T1070.001?

That ID is deprecated. It now redirects to T1685.005, "Clear Windows Event Logs," under parent technique T1685 and the tactic TA0112, "Defense Impairment." Cite the current IDs; treat T1070.001 only as a legacy alias [2, 44].

Is the Security log separate from ETW?

No. The Windows Event Log, Security channel included, is delivered over Event Tracing for Windows. Native audit is not architecturally separate from ETW; it is a different producer, channel, and detection intent riding the same plumbing [41].

Does Sysmon replace the Security log?

No. Sysmon is a different producer writing a different channel with a different configuration surface and intent. It is a parallel telemetry source, not a successor to native accountability logging -- and it cannot supply the Security.evtx records forensics and compliance expect [41].

If an attacker clears the local log, is the evidence gone?

Not if Windows Event Forwarding already shipped it. Clearing emits Event ID 1102 and the off-box collector still holds the forwarded records, which is exactly why getting logs off the box is treated as a security control [31, 2].

The dashboard at the top of your SOC is the most visible thing you own and the least load-bearing. Everything it can ever show was decided by cheaper machinery underneath it: which subcategory was enabled, whether an object carried a SACL, whether the record left the box before someone deleted it. Attackers learned this before most defenders did, which is why they aim at the audit policy and the forwarding config, not the console.

The practical consequence is almost unfair in its simplicity: spend your next hardening hour beneath the dashboard, on the layer nobody demos, because that is the layer that decides whether the demo is telling the truth.

Study guide

Key terms

SACL
The audit half of a security descriptor: a list of audit ACEs that make the system generate records in the Security log.
Advanced Audit Policy subcategory
One of the fine-grained audit switches that superseded the coarse basic categories, tunable to Success, Failure, both, or neither.
Force setting (SCENoApplyLegacyAuditPolicy)
The default-on flag that makes subcategory policy override the legacy basic categories, so basic toggles silently no-op.
Windows Event Forwarding (WEF)
Native, agentless forwarding of selected events to an off-box collector over WinRM and Kerberos.
Data Collection Rule (DCR)
The cloud-authored ETL filter that decides which events the Azure Monitor Agent ingests into Microsoft Sentinel.
Event ID 1102
The record that the Security audit log was cleared; MITRE ATT&CK technique T1685.005.
Phant0m
A tool that terminates the Event Log service threads so the service shows Running while recording nothing; MITRE ATT&CK T1685.001.

Comprehension questions

  1. Why can a basic Object Access toggle audit nothing on a modern host?

    The default-on force setting makes the subcategory surface authoritative, so the legacy category toggle is ignored.

  2. What two switches must both be set for an object-access event to fire?

    The gating Object Access subcategory and a matching SACL audit ACE on the object.

  3. Why is off-box forwarding the one control that survives clearing, disabling, and thread-termination?

    It relocates the authoritative copy and converts a silenced host into a detectable missing heartbeat at the collector.

References

  1. Microsoft Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override - SCENoApplyLegacyAuditPolicy force setting, over 40 subcategories, effective default Enabled
  2. MITRE Clear Windows Event Logs (T1685.005). https://attack.mitre.org/techniques/T1685/005/ - Formerly T1070.001, which now redirects here; Event 1102
  3. MITRE Disable or Modify Windows Event Log (T1685.001). https://attack.mitre.org/techniques/T1685/001/ - Formerly T1562.002; auditpol, service stop, Autologger Start key
  4. hlldz Phant0m: Windows Event Log Killer. https://github.com/hlldz/Phant0m - Thread-termination suppression; service shows Running while recording nothing
  5. Microsoft about_Logging_Windows. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows - Protected Event Logging (CMS confidentiality); script-block logging 4104
  6. Microsoft Access Control Lists. https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists - SACL and audit-ACE object-audit model; SDDL S: section, AU ACE type
  7. Microsoft Appendix L: Events to Monitor. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor - Legacy-to-current mapping including 1102 from 517; Event 4719
  8. US Department of Defense (1985). Trusted Computer System Evaluation Criteria (DoD 5200.28-STD, the Orange Book). https://irp.fas.org/nsa/rainbow/std001.htm - TCSEC C2 Accountability requirement: selective, attributable, protected auditing
  9. Helen Custer (1993). Inside Windows NT. https://openlibrary.org/works/OL3477485W - Microsoft Press primary on the NT 3.1 architecture shipped in 1993: the Security Reference Monitor and the C2 security subsystem
  10. (1998). NT critic gets audience with DOD chieftains. https://www.route-fifty.com/digital-government/1998/10/nt-critic-gets-audience-with-dod-chieftains/290631/ - NT 3.5 C2 rating (July 1995) covered a non-networked configuration
  11. Sean Boran IT Security Cookbook: OS Overview. http://boran.com/security/it15-os-overview.html - NT/C2 paper-rating vs operational-detection critique
  12. Microsoft Audit Policy. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-policy - The legacy basic audit categories under Local Policies Audit Policy
  13. Microsoft Security Audit Policy Reference. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772623(v=ws.10) - Nine-to-53 count; subcategories Vista/2008 auditpol-only; GPO node Win7/Server 2008 R2; unexpected results; force overrides Local Policies
  14. Microsoft Audit account logon events. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-account-logon-events - Account Logon = Kerberos authentication validation, a Windows 2000 capability
  15. Microsoft Audit directory service access. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-directory-service-access - Directory Service Access = AD objects with their own SACL; SACL via the Security tab; Windows 2000 capability
  16. Microsoft Advanced security audit policy settings. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings - Advanced Audit Policy subcategory rationale; Object Access Audit File System / Audit Registry
  17. Microsoft Advanced security auditing FAQ. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-auditing-faq - One basic setting equals four advanced settings; mixing yields unexpected results in audit reporting
  18. Microsoft Eventlog Key. https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key - Security log MaxSize (default 1MB) and Retention (0 = records are always overwritten): the fixed-size overwrite mechanism
  19. Microsoft auditpol. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol - auditpol set/get/clear, effective-policy verification
  20. Microsoft 4688(S) A new process has been created. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688 - Event 4688, Audit Process Creation subcategory, Security-Auditing provider GUID, command-line field
  21. Microsoft 4624(S) An account was successfully logged on. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 - Logon Type table: type 3 Network, type 10 RemoteInteractive
  22. Randy Franklin Smith Windows Security Log Encyclopedia. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx - Community event-ID reference; corroborates the 528/540-to-4624 mapping
  23. Microsoft (2015). Microsoft Security Advisory 3004375: Update for Windows Command Line Auditing (KB3004375). https://learn.microsoft.com/en-us/security-updates/securityadvisories/2015/3004375 - Command-line auditing backport for Event 4688
  24. Microsoft Get-Acl. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl - Get-Acl -Audit reads the SACL; SDDL output for on-disk form
  25. Microsoft FileSystemAuditRule Class. https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemauditrule - Per-file or folder audit ACE placement
  26. Microsoft RegistryAuditRule Class. https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.registryauditrule - Per-key audit ACE placement
  27. Microsoft auditpol resourceSACL. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-resourcesacl - Global resource SACLs; File or Key type; FRFW access; SeSecurityPrivilege requirement
  28. Microsoft Setting up a Source-Initiated Subscription. https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription - WEF source- vs collector-initiated, WinRM transport, SubscriptionManager GPO
  29. Microsoft wecutil. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wecutil - Windows Event Collector utility, delivery modes /dm /dmi /dmlt /hi
  30. Microsoft Installation and configuration for Windows Remote Management. https://learn.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management - WinRM default listener ports: HTTP 5985, HTTPS 5986; the transport WEF rides
  31. Jessica Payne (2015). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). https://learn.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem - WEF as a security control: get logs off-box before they can be cleared
  32. Microsoft Use Windows Event Forwarding to help with intrusion detection. https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection - WEF passive-collection limit, events-per-second scaling table, heartbeat/bookmark
  33. Jessica Payne WEFFLES. https://github.com/jepayneMSFT/WEFFLES - Threat-hunting console built on Windows Event Forwarding
  34. Microsoft Find your Microsoft Sentinel data connector. https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference - Windows Security Events via AMA into SecurityEvent/WindowsEvent tables
  35. Microsoft Azure Monitor Agent overview. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview - AMA collects according to Data Collection Rules
  36. Microsoft Data collection rules (DCRs) in Azure Monitor. https://learn.microsoft.com/en-us/azure/azure-monitor/data-collection/data-collection-rule-overview - DCR as centralized ETL filter/transform
  37. Microsoft Azure Monitor Agent migration. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration - MMA/OMS retired 2024-08-31; AMA + DCR successor; Sentinel portal consolidation
  38. Microsoft (2024). Retiring the Log Analytics agent in Azure Monitor on 31 August 2024. https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/ - MMA retirement date 31 August 2024
  39. Splunk Monitor Windows event log data. https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata - Universal Forwarder [WinEventLog://Security] input; EventCode whitelist/blacklist
  40. Microsoft Azure Monitor Logs cost calculations and options. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs - Per-GB ingestion economics
  41. Insung Park & Ricky Buch (2007). Event Tracing: Improve Debugging And Performance Tuning With ETW. https://learn.microsoft.com/en-us/archive/msdn-magazine/2007/april/event-tracing-improve-debugging-and-performance-tuning-with-etw - ETW first introduced on Windows 2000; Vista unified provider model
  42. MITRE Disable or Modify Tools (T1685). https://attack.mitre.org/techniques/T1685/ - Parent technique; cites Palantir event-tracing tampering study
  43. MITRE Defense Impairment (TA0112). https://attack.mitre.org/tactics/TA0112/ - Tactic covering degrade/disable/undermine of security controls
  44. MITRE Indicator Removal on Host: Clear Windows Event Logs (T1070.001, deprecated). https://attack.mitre.org/techniques/T1070/001/ - Deprecated ID; page meta-refreshes to T1685.005
  45. Palantir (2018). Tampering with Windows Event Tracing: Background, Offense, and Defense. https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 - Canonical systematization of event-pipeline tampering; cited on MITRE T1685
  46. MITRE OS Credential Dumping: DCSync (T1003.006). https://attack.mitre.org/techniques/T1003/006/ - DCSync abuses the directory replication protocol to extract secrets rather than opening an audited object
  47. MITRE Rogue Domain Controller (T1207). https://attack.mitre.org/techniques/T1207/ - DCShadow registers a rogue domain controller to inject and replicate attacker-controlled changes through the replication protocol; may bypass SIEM logging
  48. Bruce Schneier & John Kelsey (1999). Secure Audit Logs to Support Computer Forensics. https://www.schneier.com/wp-content/uploads/2016/02/paper-secure-logs.pdf - Forward-secure, hash-chained tamper-evident logs
  49. ASD ACSC, CISA, FBI, & NSA (2024). Best Practices for Event Logging and Threat Detection. https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection - Multinational prioritized event-logging baseline
  50. Microsoft Audit Policy Recommendations. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations - Microsoft SCM audit-baseline starting point; Object Access has no baseline recommendation
  51. DISA (2026). Microsoft Windows Server 2022 Security Technical Implementation Guide (V2R8). https://cyber.trackr.live/api/stig/Windows_Server_2022/2/8/V-254316 - STIG mandates Object Access at Success and Failure; force setting WN22-SO-000050
  52. Center for Internet Security CIS Microsoft Windows Server 2022 Benchmark v2.0.0. https://www.tenable.com/audits/items/CIS_Microsoft_Windows_Server_2022_Stand-alone_v2.0.0_L1_MS.audit:0a3d866e301926df6393fdc4e6920312 - CIS Audit Removable Storage = Success and Failure, section 17.6