Hello,
I’m working at a medium-large company with limited IT funding and want to expand our logging to feed our SIEM solution extra data. been going through microsoft’s article here and would love some input on it.
im currently trying to figure out how to do object access auditing for security event 4698 and process tracking for 4688-4689. any extra info would be appreciated.
This doesn’t specifically answer your question, but…
We keep the SIEM fed with specifically security appliance/application data; basically anything that comes out of the endpoint threat detection agents, firewalls, proxies, and the IDS/IPS devices. For everything else I’d suggest looking into Change Auditor. That’ll cover off everything from general servers logs, authentication events, log on/off times for endpoints (with the agent deployed), AD changes, Exchange events, etc.