What basic auditing policy logs attempts to authenticate a user through a domain controller or a local Security Accounts Manager? Solution “Audit Logon Events” are meant for monitoring the logon/logoff events, and are disabled by default. It is required to enable these policies manually. The basic auditing policy are: It aslo depends on system to system. For windows there are category and sub category for auditing . for ex: Account Logon,Account Management,Detailed Tracking,DS Access ect. This further has subcategory. Events to Monitor A perfect event ID to generate a security alert should contain the following attributes: High likelihood that occurrence indicates unauthorized activity Low number of false positives Occurrence should result in an investigative/forensics response Two types of events should be monitored and alerted: Those events in which even a single occurrence indicates unauthorized activity An accumulation of events above an expected and accepted baseline An example of the first event is: If Domain Admins (DAs) are forbidden from logging on to computers that are not domain controllers, a single occurrence of a DA member logging on to an end-user workstation should generate an alert and be investigated. This type of alert is easy to generate by using the Audit Special Logon event 4964 (Special groups have been assigned to a new logon). Other examples of single instance alerts include: If Server A should never connect to Server B, alert when they connect to each other. Alert if a normal end-user account is unexpectedly added to a sensitive security group. If employees in factory location A never work at night, alert when a user logs on at midnight. Alert if an unauthorized service is installed on a domain controller. Investigate if a regular end-user attempts to directly log on to a SQL Server for which they have no clear reason for doing so. If you have no members in your DA group, and someone adds themselves there, check it immediately. An example of the second event is: An aberrant number of failed logons could indicate a password guessing attack. For an enterprise to provide an alert for an unusually high number of failed logons, they must first understand the normal levels of failed logons within their environment prior to a malicious security event. ----------end-----------.