There are various tasks that can be performed in Computer Account Management
- Computer account is created, changed, or deleted
The volume of this event being generated is low. And by default this events are not configured to be logged by Microsoft. However, if this policy setting is configured, it determines what tasks are performed in Computer Account Management and is useful for tracking account related changes to computers that are members of a domain.
Following are the lists of event that gets generated
eventId description
4741 A computer account was created.
4742 A computer account was changed.
4743 A computer account was deleted.
How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4741, 4742, 4743]
What fields to monitor?
timestamp, who performed, account name, operationType
No comments:
Post a Comment