Quality Over Quantity: Comparison of Windows Security Audit Recommendations in Detecting Malware

More than seventy percent of businesses operate with at least one version of Microsoft Windows in their environment (Keizer, 2020). For security teams focused on detecting threats in these environments, the generation and collection of Windows security event logs is typically a significant component of the detection strategy. While the refrain "just log everything and sort it out later" is often heard, this is typically not feasible or prudent given resource limitations. Thus, triaging which events to collect becomes essential, leaving the security architect to determine what to collect and what to ignore. Microsoft provides Windows Security Audit Recommendations, which outline the Default, Baseline, and Stronger audit policy recommendations (Foulds, 2017), without providing specifics on what these templates are best suited for, or how they were developed. This research paper aims to provide security professionals with quantitative analysis to help determine which of the recommended audit policies detect malicious activity and what customizations may be helpful.