Showing results for 
Search instead for 
Did you mean: 

AD Attribute Changes

Does anyone know if Nitro can report/alarm on an Attribute change in AD? i.e. changing an attribute from True to False.



1 Reply

Re: AD Attribute Changes

Should be able to. This is where you want to start.

Step 1: Ensure you have proper auditing setup so attribute change events are captured in domain controller's security event logs. Active Directory Domain Services (AD DS) Auditing Step-by-Step Guide

Step 2: Assuming DC data source is already setup and receiving security logs. This step requires a little analysis effort. Take a look at the parsed event in ESM and see what field captures the attribute change, typically custom type tab will give you something to work with. If not, you may need to write custom parser.

Step 3: Create a correlation rule based on Sig ID and parsed custom field.

Step 4: Create an Internal Event match alarm that matches is SigID of correlation rule created in Step 3.

Hope this helps..