There are various events that gets logged when following User Account Management tasks are performed
- A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
- A user account password is set or changed.
- Security identifier (SID) history is added to a user account.
- The Directory Services Restore Mode password is set.
- Permissions on accounts that are members of administrators groups are changed.
- Credential Manager credentials are backed up or restored.
The volume of this event being generated is low and this policy setting is essential for tracking events that involve provisioning and managing user accounts. Following are the lists of event that gets generated
eventId description
4720 A user account was created.
4722 A user account was enabled.
4723 An attempt was made to change an account's password.
4724 An attempt was made to reset an account's password.
4725 A user account was disabled.
4726 A user account was deleted.
4738 A user account was changed.
4740 A user account was locked out.
4765 SID History was added to an account.
4766 An attempt to add SID History to an account failed.
4767 A user account was unlocked.
4780 The ACL was set on accounts which are members of administrators groups.
4781 The name of an account was changed:
4794 An attempt was made to set the Directory Services Restore Mode.
5376 Credential Manager credentials were backed up.
5377 Credential Manager credentials were restored from a backup.
How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377]
What fields to monitor?
timestamp, who performed, group name, operationType and other important information depending on the event generated.
No comments:
Post a Comment