We can create expression-based audit policies which allow us to define a custom condition for an audit policy to apply to. The conditions that we can create are quite powerful as they use claim types and resource properties, allowing us to customize exactly how the audit policy should apply.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Create Expression-Based Audit Policies
We can create expression-based conditions as part of a System Access Control List (SACL). This can be done by manually modifying the security settings of a specific file or folder, or through group policy. Specifically, we can right click a file or folder, select properties, and go to the security tab. From here we can select Advanced, and from the window that opens select Auditing. If we then click Add we can create our auditing entry as shown below.
Toward the bottom we can create our expression-based condition. In this instance we want to audit successful read events for the administrator to this folder, subfolders and files. Our expression-based audit policy then comes into play, where we add a condition to further limit the scope of the auditing entry. In this case we specify that the city a user is in must be equal to London. The city value is custom and was configured by adding claim types and resource properties and is part of a Dynamic Access Control (DAC) solution.
We can create a specific condition, which is an expression-based item that defines what the audit policy will apply to with these options. We can also add multiple expressions and select if we want to apply ‘and’ or ‘or’ logic between them.
Rather than applying these expression-based audit policies manually on a per file or folder basis as part of the SACL, we can use group policy to control these settings automatically on a system. Simply browse to Computer Configuration > Policies > Windows Settings > Advanced Audit Policy Configuration > Audit Policies > Global Object Access Auditing. Within here we can either set policy for the file system or registry.
We can view the properties of either of these policies and then simply select the checkbox to enable them.
We can then click the configure button to define our SACL. This is mostly the same as previously where we can define the expression-based conditions toward the bottom. The difference here is of course that this change is done through group policy and will affect all files on the file system on the computer where the policy is applicable.
We can create expression-based audit policies either manually on a per file, folder, or active directory object basis as well as through group policy. The conditions allow us to express specifically what we want to do at a much more granular level.