Hi There,
Today i tested install auditbeat on windows with default configuration. It seem like it works with few questions and notes.
-
delivered dashboards are not so usable. I foud that user related audits are completely missing. Logon attempts etc. I tryed to find it in documentation but I failed. Informations are missing.
-
file intergrity is also very usefull module, but there are some things that i am missing. One thing is who is owner of changed file and much more important information is who performed update / delete. This information is missing. Please add it. It will make a sense to use it.
-
perfect information you can find with process monitoring.
-
amazing feature would be get list of installed roles, subroles and features. For system audit very useful information.
it was my first touch with Auditbeat on windows. I am already using winlogbeat and metricbeat.
Except point 4, i am able to get all information from winlog. point one is default in security log, point 2 after enabling auditing in NTFS, point 3 you can uses sysmon and then read infos in log.
point 4 only not at all. So for point 1-3 why to use auditmon? I can imagine only if you are not windows admin and you dont understand to GPO, eventlog, sysmon it can be much more easier.
What am I missing?
Thanks
Jan