https://www.verboon.info/tags/audit/Recent content in Audit on Anything About ITHugoen-usSun, 26 Sep 2021 20:15:06 +0000https://www.verboon.info/2021/09/detect-audit-policy-modifications-with-microsoft-365-defender/Sun, 26 Sep 2021 20:15:06 +0000https://www.verboon.info/2021/09/detect-audit-policy-modifications-with-microsoft-365-defender/<p>Hello there,</p> <p>In today&rsquo;s blog post I want to share with you an advanced hunting query to detect audit policy modifications using Microsoft Defender 365 advanced hunting. Following the MITRE ATT&amp;CK framework this would be <a href="https://attack.mitre.org/techniques/T1484/001/">T1484.001 Domain Policy Modification: Group Policy Modification</a>.</p> <p>Microsoft Defender for Endpoint can help us detect audit policy modifications by running the following query:</p> <p> <img src="092621_1955_DetectAudit1.png" alt=""> </p> <p>Detailed information about the audit policy changes is displayed in the AdditionalFields data. Now all we need to do is to translate these values into human readable data.</p>https://www.verboon.info/2020/04/how-to-create-your-defender-atp-admin-audit-log-dashboard/Sat, 11 Apr 2020 20:11:07 +0000https://www.verboon.info/2020/04/how-to-create-your-defender-atp-admin-audit-log-dashboard/<p>Hello everyone,</p> <p>In today&rsquo;s blogpost I will walk you through the process of creating an admin audit log dashboard for Defender Advanced Threat Protection. During my past customer engagements, I was often asked if there is a way to show device actions taken by Defender ATP admins. The answer is yes, this is possible. First the information is available through the Defender ATP API, second the information is also stored within the Windows event log of the device itself.</p>