There are various tasks that can be performed in Application Group Management
- An application group can be created, changed or deleted
- A member can be added to/removed from application group
The volume of this event being generated is low. And by default this events are not configured to be logged by Microsoft. However, if this policy setting is configured, it determines what tasks are performed in application group management.
Following are the lists of event that gets generated
eventId description
4783 A basic application group was created.
4784 A basic application group was changed.
4785 A member was added to a basic application group.
4786 A member was removed from a basic application group.
4787 A non-member was added to a basic application group.
4788 A non-member was removed from a basic application group.
4789 A basic application group was deleted.
4790 An LDAP query group was created.
How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790]
What fields to monitor?
timestamp, user name, operationType
No comments:
Post a Comment