How can we improve Azure Log Analytics ?

Fix Windows2016 baseline detection

I stumble on some error in the detection. For example :

OSName,RuleSetting,ExpectedResult,ActualResult
Windows Server 2016 Datacenter,"Privilege Rights : SeTrustedCredManAccessPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeTcbPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeCreateTokenPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeCreatePermanentPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeLockMemoryPrivilege",0,"No One"
Windows Server 2016 Datacenter,"Privilege Rights : SeRelabelPrivilege",0,"No One"

These user right should according the baseline no have an user of group assigned but detection expects 0 instead on "No One"

Or do I need to make a support call for this?

6 votes
Vote
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
You have left! (?) (thinking…)
Bart Danse shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Bart Danse commented  ·   ·  Flag as inappropriate

    found some more.

    Retention search for a string instead of int (dword). NullSessionShares is not found at all.

    OSName,RuleSetting,ExpectedResult,ActualResult,BaselineRuleId
    Windows Server 2016 Datacenter,"LocalMachine\System\CurrentControlSet\Services\LanManServer\Parameters : NullSessionShares",0,"NOT_EXISTS","383ddfeb-b22d-4206-b8b3-67d4e0c6dfe7"
    Windows Server 2016 Datacenter,"LocalMachine\Software\Policies\Microsoft\Windows\EventLog\Security : Retention",0,"NOT_EXISTS","185f52cc-add3-4591-91a6-624efa791351"
    Windows Server 2016 Datacenter,"LocalMachine\Software\Policies\Microsoft\Windows\EventLog\Setup : Retention",0,"NOT_EXISTS","12990b19-424e-404b-b9b5-80f201ac9192"
    Windows Server 2016 Datacenter,"LocalMachine\Software\Policies\Microsoft\Windows\EventLog\System : Retention",0,"NOT_EXISTS","f5e7b762-f33c-43f9-8e66-a9f672806fb4"

Feedback and Knowledge Base