Audit Policy Inspectors

pcpeteusa · September 25, 2023, 1:48pm

Hello

I was wondering if one could leverage the audit policy inspectors to track user logon logoff activity. I found this on the github site

github.com

bigfix/developer.bigfix.com/blob/master/site/pages/relevance/_reference/docs/audit-policy.md

# type: audit policy

The &lt;audit policy&gt; inspectors return the policies put in place for recording information about security-related operations on the client computer. For example, you can set a policy to monitor the modification of files. This will trigger an audit entry showing whenever a file is modified, the associated user account, and the date and time of the action. You can audit both successful and failed attempts at actions. Often, the failed attempts are more interesting, as they may indicate attempts to unsuccessfully subvert a policy. For instance, a successful login is not as interesting as a repeated failure might be.

# account logon category of &lt;audit policy&gt; : audit policy category

Returns an object corresponding to the Account Logon category of the audit policy.

# account management category of &lt;audit policy&gt; : audit policy category

Returns an object corresponding to the Account Management category of the audit policy.

# category of &lt;audit policy&gt; : audit policy category

Returns the categories of the specified audit policy.

# detailed tracking category of &lt;audit policy&gt; : audit policy category

Returns an object corresponding to the Detailed Tracking category of the specified audit policy.

This file has been truncated. show original

Does anyone have a example of their use? Are they expensive from a client resource perspective?

JasonWalker · September 25, 2023, 1:55pm

These inspectors focus on retrieving the audit policy, not the audited events.

They can’t retrieve “the last time user X logged on”, rather they retrieve “whether logon events will appear in the Event Log”.

To retrieve the audited events themselves, one would have to use the Event Log inspectors - which are indeed very slow and error-prone as the expected events may roll off the event log and be overwritten/truncated, and event log searches are inherently slow.

A better approach is to use BigFix to ensure the correct audit policies are in place, and to use a SIEM tool such as Splunk to aggregate, search, and report on the log entries themselves.

maddogcody · September 25, 2023, 11:47pm

If you MUST use BigFix… you might like these Analyses (use at your own risk):

Local Accounts - Last Logon:
(name of it & " ! " & (last logon of it as string | “No Login”) & " ! " & (account disabled flag of it as string)) of users

Last Logged on - Windows:
(sid (it) as string | it ) of (string values whose (set of (“S-1-5-20”;“S-1-5-19”;“S-1-5-18”) does not contain it) of properties “sid” of items 0 of (it whose (preceding text of first “.” of string value of property “LastUseTime” of item 0 of it as integer = item 1 of it) of (select objects “* from Win32_UserProfile” of wmi, it) of (maximum of (preceding text of first “.” of string value of property “LastUseTime” of it as integer) of select objects “* from Win32_UserProfile” of wmi)))

Last Logon Time - Windows:
(sid (string value of property “sid” of it) as string | string value of property “sid” of it, time value of property “LastUseTime” of it) of (select objects “* from Win32_UserProfile” of wmi) whose (set of (“S-1-5-20”;“S-1-5-19”;“S-1-5-18”) does not contain string value of property “sid” of it)

pcpeteusa · September 26, 2023, 7:14pm

Thank you very much. I did push back using the Splunk idea waiting to hear back.