There are various events that gets logged when following security group management tasks are performed
- A security group is created, changed, or deleted.
- A member is added to or removed from a security group.
- A group's type is changed.
The volume of this event being generated is low. And by default success events are configured to be logged by Microsoft. If policy setting are configured following are the lists of event that gets generated
eventId description
4727 A security-enabled global group was created.
4728 A member was added to a security-enabled global group.
4729 A member was removed from a security-enabled global group.
4730 A security-enabled global group was deleted.
4731 A security-enabled local group was created.
4732 A member was added to a security-enabled local group.
4733 A member was removed from a security-enabled local group.
4734 A security-enabled local group was deleted.
4735 A security-enabled local group was changed.
4737 A security-enabled global group was changed.
4754 A security-enabled universal group was created.
4755 A security-enabled universal group was changed.
4756 A member was added to a security-enabled universal group.
4757 A member was removed from a security-enabled universal group.
4758 A security-enabled universal group was deleted.
4764 A group's type was changed.
How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764]
What fields to monitor?
timestamp, who performed, group name, operationType and other important information depending on the event generated.
No comments:
Post a Comment