Audit Your Microsoft Active Directory Services Like a Pro with Microsoft Sentinel

This blog post explains how to enable and configure advanced auditing for Active Directory Certificate Services (ADCS), and how to collect and send the resulting logs to Microsoft Sentinel. By default, logging for ADCS is not enabled, which means you may miss important insights about your environment.

Please remember that you need to carry out the same activities on all your ADCS servers.

Revolutionize Your Security Operations with Microsoft Sentinel

Discover the Next-Generation SIEM Solution: Contact Us to Learn How Microsoft Sentinel Can Transform Your Security Operations
Call to Action

What do you need?

In order to complete the steps described in this post, you will need:

  • Azure Log Analytics workspace
  • Microsoft Sentinel
  • Azure Arc connect server
  • Azure Monitoring Agent enabled on the Azure Arc connected servers


You may be wondering why Azure Arc is needed for ADCS auditing. In this case, it is assumed that you are not using Defender for Cloud or Microsoft Sentinel to forward all security events. If you use the Defender for Cloud or Security Events connector in Sentinel, you have four different configuration options:

  • None
  • Minimal
  • Common
  • All Events


The Common Events option only includes around 150 different events from the security log, and does not include specific ADCS event IDs. While you could set your Security Events connector or Defender for Cloud to forward all logs, this may not be desirable. Azure Arc and the Azure Monitoring Agent allow you to define your own Data Collector Rules and collect only the needed events.

ADCS auditing

The first step is ensuring auditing is enabled on your ADCS servers.

Using Auditpol utility

Run the auditpol command and ensure that “Certificate Services” and “Registry” advanced auditing are enabled.

					auditpol /get /category:*


You can configure advanced auditing settings using the auditpol /set command

Auditpol command to enable auditing

					auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Using Group Policy

  1. Open Group Policy Management
  2. Create or Edit a Group Policy Object (GPO)
  3. Edit the GPO
    • Right-click on the GPO you’ve created or chosen and select “Edit
  4. Navigate to Advanced Audit Policy Configuration
    • In the Group Policy Management Editor, go open the following Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies.
  5. Configure “Certification Services” Auditing
    • Navigate to Object Access.
    • Find and double-click on “Certification Services
    • Check the boxes for “Configure the following audit events” and then check both “Success” and “Failure
    • Click OK
  6. Configure “Registry” Auditing
    • Still under Object Access, find and double-click on “Registry
    • Check the boxes for “Configure the following audit events” and then check both “Success” and “Failure
    • Click OK
  7. Close the Group Policy Management Editor
  8. Assign the GPO to the PKI servers


ADCS Auditing Settings

The next step is to enable auditing through the ACS snap-in. To do that, follow the steps on your ADCS server:

  • Open Server Manager
  • Select Tools -> Certification Authority
  • Right-click your CA name and choose properties
  • Select Auditing
  • Enable the auditing settings you need
    • Back up and restore the CA database
    • Change CA configuration
    • Change CA security settings
    • Issue and manage certificate requests
    • Revoke certificates and publish CRLs
    • Store and retrieve archived keys
    • Start and stop ADCS service

Certificate Template Changes

The next step is to enable the certificate template changes using the certutil command:

					certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD


Extra Registry Auditing

Because some changes can be done directly through the registry, we need to enable registry auditing. To do that, we need to do this:

  • Open Regedit on your ADCS server
  • Browse the following key
    • *HKLM:\System\CurrentControlSet\Services\CertSvc\Configuration*
  • Right-click Configuration and choose Permissions
  • Click Advanced
  • Choose Auditing and click Add
  • Set the principal to Authenticated Users and configure the following permissions
    • Set Value
    • Create SubKey
    • Delete
    • Write DAC
    • Write Owner
    • Read Control

Reboot your server and verify the changes. After the reboot, you should see different event IDs in your Security logs.

Now that we have the ADCS auditing up and running, we can continue with the Azure Arc and Microsoft Sentinel.

Azure Arc configuration

For Azure Arc configuration, follow this guide – Connect hybrid machine with Azure Arc enabled servers – Azure Arc | Microsoft Docs

Microsoft Sentinel

Now that you have Azure Arc up and running, we can continue with the Data Collection Rules. In Microsoft Sentinel, we have a new connector called Windows Security Events. This connector allows us to define custom log policies for Azure Arc-enabled servers. In the Data Collector Rules, you need to specify the XPATH queries.

					Security!*[System[(EventID=4882 or EventID=4899)]]

You can test your XPATH queries using the Get-WinEvent PowerShell cmdlet.

Leave a Reply

Contact me

If you’re interested in learning about Audit Your Microsoft Active Directory Services Like a Pro with Microsoft Sentinel. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents

You might also like...