There are various tasks that can be performed in Distribution Group Management
- A distribution group is created, changed, or deleted.
- A member is added to or removed from a distribution group.
The volume of this event being generated is low and is logged only on domain controllers. And by default this events are not configured to be logged by Microsoft. However, if this policy setting is configured, it determines what tasks are performed in Distribution Group Management.
Following are the lists of event that gets generated
eventId description
4744 A security-disabled local group was created.
4745 A security-disabled local group was changed.
4746 A member was added to a security-disabled local group.
4747 A member was removed from a security-disabled local group.
4748 A security-disabled local group was deleted.
4749 A security-disabled global group was created.
4750 A security-disabled global group was changed.
4751 A member was added to a security-disabled global group.
4752 A member was removed from a security-disabled global group.
4753 A security-disabled global group was deleted.
4759 A security-disabled universal group was created.
4760 A security-disabled universal group was changed.
4761 A member was added to a security-disabled universal group.
4762 A member was removed from a security-disabled universal group.
How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762]
What fields to monitor?
timestamp, who performed, security group, operationType
No comments:
Post a Comment