Help me on writing Relevant to get a audit policy

Domewouy · December 18, 2023, 10:23am

Help me write BigFix analysis to get BigFix policy as a below picture

FatScottishGuy · December 18, 2023, 9:41pm

Audit policy results are stored in the registry right?

SLB · December 18, 2023, 11:46pm

If you have Compliance I beleive there are some built in analyses in the CIS Checklist for Windows 10 that may accomplish what you are after. Alternativley you may be able to use the Audit Policy inspectors.

Reading some Google results, it may not be as straight forward to parse from the registry, eg HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv

Domewouy · December 20, 2023, 7:11am

Here is some of my code from finding a audit policy setting of “Account Management”. Which i think is incorrect due my code is read a audit policy Subcategory “User Account Management” not a main audit policy category of “Account Management”.

(concatenation " : " of (“Subcategory”; name of it ; guid of it; concatenation “_” of (“AUDIT”; (if audit success of it then “SUCCESS” else nothing); (if audit failure of it then “FAILURE” else nothing); (if not audit success of it and not audit failure of it then “NONE” else nothing)) of system policies of it)) of subcategories whose (name of it is “User Account Management”) of account management categories of (if exists audit policy then audit policy else error “no audit policy”)

Any help with the relevant for reading a audit policy of Account Management

vk.khurava · December 20, 2023, 10:13am

You can also try below:
(name of it, guid of it, (if (audit failure of it) then ("Failure") else (if (audit success of it) then ("Success") else ("Nothing"))) of system policy of it) of subcategories of account management category of audit policy

OR

Q: (concatenation " : " of ("Subcategory"; name of it ; guid of it; concatenation "_" of ("AUDIT"; (if audit success of it then "SUCCESS" else nothing); (if audit failure of it then "FAILURE" else nothing); (if not audit success of it and not audit failure of it then "NONE" else nothing)) of system policies of it)) of subcategories of account management categories of (if exists audit policy then audit policy else error "no audit policy")
A: Subcategory : User Account Management : {0CCE9235-69AE-11D9-BED3-505054503030} : AUDIT_SUCCESS_FAILURE
A: Subcategory : Computer Account Management : {0CCE9236-69AE-11D9-BED3-505054503030} : AUDIT_SUCCESS_FAILURE
A: Subcategory : Security Group Management : {0CCE9237-69AE-11D9-BED3-505054503030} : AUDIT_SUCCESS_FAILURE
A: Subcategory : Distribution Group Management : {0CCE9238-69AE-11D9-BED3-505054503030} : AUDIT_NONE
A: Subcategory : Application Group Management : {0CCE9239-69AE-11D9-BED3-505054503030} : AUDIT_SUCCESS_FAILURE
A: Subcategory : Other Account Management Events : {0CCE923A-69AE-11D9-BED3-505054503030} : AUDIT_SUCCESS_FAILURE
T: 1.385 ms
I: plural string