Introduction
The following article lists the audit policy requirements needed by Field Effect MDR for the maximum effect. Enabling this Policies within Windows Advanced Audit Policy.
If you would like to learn more about what data is collected by Field Effect MDR (once they policies are set), see What Events are Collected by Field Effect.
Audit Policy Requirements for Field Effect MDR
The table below lists the minimum required audit policy settings that will generate all field effect AROs (Accurate as of June 2025). If these policies are not already set in Windows Advanced Audit Policy, please set the following policies in your environment.
Note the Audit Policy listed here is accurate for Windows Server versions 2016, 2019, 2022, and 2025, other Windows versions may have slight variations in the order of policies and may have some unique policy settings.
| Category | Sub-Category | Setting |
|---|---|---|
| Logon/Logoff | Logon | Success and Failure |
| Logoff | Success and Failure | |
| Account Lockout | Success and Failure | |
| Account Managment | Computer Account Management | Success and Failure |
| Security Group Managment | Success and Failure | |
| User Account Management | Success and Failure | |
| Account Logon | Kerberos Service Ticket Operations | Success and Failure |
| Kerberos Authentication Service | Success and Failure |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article