 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the detailed tracking category of advanced security auditing for Windows Server. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that will be published in the coming weeks. Some of these topics are a bit dry, but we attempted to make them so you'd be able to review information about advanced auditing in a more digestible format. As a Windows Server administrator, you should have a comprehensive understanding of advanced security auditing in Windows Server and active directory environments. Detailed tracking security policy settings and audit events can be used for the following purposes. To monitor the activities of individual applications and users on that computer. To understand how a computer is being used. This category includes the following policy items. Audit data protection API, DPAPI activity. Audit plug and play PNP activity. Audit process creation. Audit process termination. Audit RPC events. Audit token write adjusted. The audit DPAPI activity policy determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface DPAPI. Events in this subcategory typically have an informational purpose, and it is difficult to detect any malicious activity using these events. It's mainly used for DPAPI troubleshooting. Events in the security log related to this auditing item include Audit 692 backup of data protection master key was attempted. Audit 693 recovery of data protection master key was attempted. Audit 694 protection of auditable protected data was attempted. Audit 695 unprotection of auditable protected data was attempted. The audit PNP activity policy determines when plug and play detects an external device. A PNP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PNP event is triggered. This subcategory will help identify when and which plug and play device was attached, enabled, disabled or restricted by device installation policy. You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. If you were good with your scheduled tasks, you could even enable a computer's microphone when this event is written to the log to hear whether or not they whisper in their best hacker voice. Not that you'd have a microphone attached to your domain controller, but I'm trying to liven this content up. Events in the security log related to this auditing item include 6416 a new external device was recognized by the system. 6419 a request was made to disable a device. 6420 a device was disabled. 6421 a request was made to enable a device. 6422 a device was enabled. 6423 the installation of this device is forbidden by system policy. 6424 the installation of this device was allowed after having previously been forbidden by policy. Audit process creation determines whether the operating system generates audit events when a process is created or starts. These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process. This policy is typically enabled on sensitive systems so you can collect success auditing information for this subcategory for forensic investigations to find information when and with which options or parameters a specific process was executed. Additionally you can analyze process creation events but elevated credentials use potential malicious process names and other elements. The event volume is typically medium high level depending on the process activity on the computer. In the distant past you might enable this type of policy to determine how often your colleague was playing solitaire or minesweeper whilst they were supposed to be triaging the job queue. Events in the security log related to this auditing item include 4688 a new process has been created 4696 a primary token was assigned to process. The audit process termination policy determines whether the operating system generates audit events when process has exited. Success audits record successful attempts and failure audits record unsuccessful attempts. This policy setting can help you track user activity and understand how the computer is used. This subcategory typically is not as important as audit process creation subcategory. Using this subcategory you can for example get information about for how long process was run. If you have a list of critical processes that run on some computers you can enable this subcategory to monitor for termination of these critical processes. For example if a process seems to be dying and you are trying to figure out why you can use this audit policy to get better data on the process runtime. I once used this policy to track a process that seemed to be randomly failing only to work out that the process would consistently end between 90 and 95 hours after it was started. This consistent failure helped me to figure out that the process was crashing for a very specific reason and to implement a process restart prior to the process failing for other reasons. Only one event ID is related to this audit policy 4689 a process has exited. The audit RPC events policy determines whether the operating system generates audit events when inbound remote procedure call RPC connections are made. RPC calls are pretty rare so you'll know if you need to audit them or not. Only one event ID is related to this audit policy. 5712 a remote procedure call RPC was attempted. The audit token right adjusted policy allows you to audit events generated by adjusting the privileges of a token. As of Windows 10 event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events with the WMI activity listed as coming from svchost.exe. If one of your applications or services is generating a large number of 4703 events you might find that your event management software has filtering logic that can automatically discard the recurring events which would make it easier to work with success auditing for this category. Only one event ID is related to this audit policy. 4703 a user right was adjusted. This video provided an introduction to Windows Server Advanced Security Detailed Tracking Audit Policies. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture but will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. I hope you found this video useful and informative. My name is Oren Thomas you can find me at aka.ms slash oren and if you've got any questions or feedback drop a comment below.