Views:

Manage your Certificate Authority audit filter settings to ensure Identity Security Sensor can detect and log all Windows events.

When enabling Active Directory monitoring for Identity Security Sensor on an endpoint, the TrendAI Vision One™ Endpoint Security agent automatically configures the Windows Audit Policy for the Certification Services subcategory. However, the Certificate Authority (CA) audit filter settings must be configured manually by the server administrator. This is because by default, Windows does not generate logs for security events 4886 (Certificate Request Received) and 4887 (Certificate Issued). If after enabling Identity Security Sensor and Active Directory monitoring on an endpoint, you do not see these logs, use these steps to configure the endpoint.

Procedure

  1. Verify the endpoint configuration.
    The endpoint must meet the following requirements:
    • OS is Windows Server
    • Endpoint is running Active Directory Certificate Services with an Enterprise Root Certificate Authority
    Note
    Note
    Identity Security Sensor does not require installing Active Directory Certificate Services on a domain controller. The CA role can run on a dedicated member server.
  2. Verify the CA status.
    1. On the CA server, run PowerShell as an Administrator.
    2. To verify that CA is functional, execute the command certutil -ping.
    3. If the command returns a non-zero exit code, verify that Certificate Services (certsvc) is running.
      Execute the command sc query certsvc.
    4. If the service is stopped, execute the command net start certsvc to start the service.
      If the service fails to start, or if certutil -ping continues to fail, the CA might need to be repaired. Contact your Active Directory or PKI administrator for assistance.
  3. Once you have verified that CA is running, check the current audit filter value.
    To check the value, execute the command certutil -getreg CA\AuditFilter. Make note of the current value.
  4. Set the audit filter registry value to enable certificate request auditing.
    • If the current value is 0 (default, no auditing), set the value to 4.
      certutil -setreg CA\AuditFilter 4
    • If the current value is non-zero, combine the current value with 4 using bitwise OR.
      certutil -setreg CA\AuditFilter <new_value>
      For example, if the current value is 3, set the audit filter registry value to 7.
      certutil -setreg CA\AuditFilter 7
    For more information about CA audit filter values, refer to the Microsoft guide Securing PKI: Appendix B: Certification Authority Audit Filter.
  5. Restart Certificate Services.
    Important
    Important
    The audit filter does not apply changes until Certificate Services is restarted. Restarting certsvc temporarily interrupts certificate enrollment and issuance. TrendAI™ recommends scheduling this step during a maintenance window.
    1. To stop the service, execute the command net stop certsvc.
    2. To start the service, execute the command net start certsvc.
  6. To verify the new configuration, execute the command certutil -getreg CA\AuditFilter.
    If successful, the command returns the following:
    AuditFilter REG_DWORD = <new_value>
CertUtil: -getreg command completed successfully.
    Where <new_value> is the non-zero value you specified when setting the audit filter registry value. If the value displays 0, the audit filter has not been configured.
  7. If you need to restore the audit filter to the original value, use the following commands to revert to the original registry value and restart the Certificate Services.
    certutil -setreg CA\AuditFilter <old_value>
net stop certsvc
net start certsvc
    Where <old_value> is the original value returned.