2 Replies Latest reply on May 13, 2015 2:28 AM by asiff

    Changes Made to Active Directory server

    asiff

                     Hi All,

       

      I'm looking for assistance to write a correlation to detect any changes made on active directory server (such as creation of group and policy changes etc )  from domain Users .

      let me know what condition to be considered in Normalization rule / do i need to look after any particular signature's which are related to AD changes ?

        • 1. Re: Changes Made to Active Directory server
          andy777

          Hi -

           

          If I understand your request correctly, I think I would create a watchlist for Signature IDs that includes the following Windows IDs and then alert based upon that watchlist.

           

          43-263047830    A basic application group was created.

          43-263047840    A basic application group was changed.

          43-263047850    A member was added to a basic application group.

          43-263047860    A member was removed from a basic application group.

          43-263047870    A non-member was added to a basic application group.

          43-263047880    A non-member was removed from a basic application group.

          43-263047890    A basic application group was deleted.

          43-263047900    An LDAP query group was created.

          43-263047420    A computer account was changed.

          43-263047430    A computer account was deleted.

          43-263047440    A security-disabled local group was created.

          43-263047450    A security-disabled local group was changed.

          43-263047460    A member was added to a security-disabled local group.

          43-263047470    A member was removed from a security-disabled local group.

          43-263047480    A security-disabled local group was deleted.

          43-263047490    A security-disabled global group was created.

          43-263047500    A security-disabled global group was changed.

          43-263047510    A member was added to a security-disabled global group.

          43-263047520    A member was removed from a security-disabled global group.

          43-263047530    A security-disabled global group was deleted.

          43-263047590    A security-disabled universal group was created.

          43-263047600    A security-disabled universal group was changed.

          43-263047610    A member was added to a security-disabled universal group.

          43-263047620    A member was removed from a security-disabled universal group.

          43-263047270    A security-enabled global group was created.

          43-263047280    A member was added to a security-enabled global group.

          43-263047290    A member was removed from a security-enabled global group.

          43-263047300    A security-enabled global group was deleted.

          43-263047310    A security-enabled local group was created.

          43-263047320    A member was added to a security-enabled local group.

          43-263047330    A member was removed from a security-enabled local group.

          43-263047340    A security-enabled local group was deleted.

          43-263047350    A security-enabled local group was changed.

          43-263047370    A security-enabled global group was changed.

          43-263047540    A security-enabled universal group was created.

          43-263047550    A security-enabled universal group was changed.

          43-263047560    A member was added to a security-enabled universal group.

          43-263047570    A member was removed from a security-enabled universal group.

          43-263047580    A security-enabled universal group was deleted.

          43-263047640    A group’s type was changed.

          • 2. Re: Changes Made to Active Directory server
            asiff

            Thanks Andy . I Created alarm using above signature ID  and it working as expected.