This article describes the steps to enable audit events for Windows Authentication, this allows our EDR Forensic snapshots to contain more information in regards to logon events. The following sections are covered:
Applies to the following Sophos products and versions Central Endpoint Advanced 11.5.11Central Server Core Agent 2.2.1
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /get /category:*
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.