puhua.net

View My GitHub Profile

Pages (Latest 10 updated) :
Posts (Latest 50 updated) : Read all
26 October 2020

保护Active Directory的最佳实践

Audit Policy Recommendations

Events to Monitor

The computer attempted to validate the credentials for an account

How to Audit Organizational Units (OUs) Changes in Active Directory

Centralized logging using Graylog

Audit Logon

An account was successfully logged on.

A user logged on to this computer.

winlogbeat_event_id:4624 AND winlogbeat_event_data_LogonType:2

A user or computer logged on to this computer from the network.

winlogbeat_event_id:4624 AND winlogbeat_event_data_LogonType:3

A user logged on to this computer remotely using Terminal Services or Remote Desktop.

winlogbeat_event_id:4624 AND winlogbeat_event_data_LogonType:10

A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

winlogbeat_event_id:4624 AND winlogbeat_event_data_LogonType:11

An account failed to log on.

winlogbeat_event_id:4625 AND winlogbeat_event_data_LogonType:2 winlogbeat_event_id:4625 AND winlogbeat_event_data_LogonType:3 winlogbeat_event_id:4625 AND winlogbeat_event_data_LogonType:10 winlogbeat_event_id:4625 AND winlogbeat_event_data_LogonType:11

A logon was attempted using explicit credentials.

winlogbeat_event_id:4648

SIDs were filtered.

winlogbeat_event_id:4675

The computer attempted to validate the credentials for an account

winlogbeat_event_id:4776 AND NOT winlogbeat_event_data_Status:0x0

Audit Logoff

An account was logged off.

winlogbeat_event_id:4634 AND winlogbeat_event_data_LogonType:2 winlogbeat_event_id:4634 AND winlogbeat_event_data_LogonType:3 winlogbeat_event_id:4634 AND winlogbeat_event_data_LogonType:10 winlogbeat_event_id:4634 AND winlogbeat_event_data_LogonType:11

User initiated logoff.

winlogbeat_event_id:4647

Audit account management

A user account was created.

winlogbeat_event_id:4720

A user account was enabled.

winlogbeat_event_id:4722

An attempt was made to change/reset an account’s password.

winlogbeat_event_id:(4723 OR 4724)

A user account was disabled.

winlogbeat_event_id:4725

A user account was deleted.

winlogbeat_event_id:4726

A user account was changed.

winlogbeat_event_id:4738

A user account was locked out.

winlogbeat_event_id:4740

A user account was unlocked.

winlogbeat_event_id:4767

The ACL was set on accounts which are members of administrators groups.

winlogbeat_event_id:4780

The name of an account was changed:

winlogbeat_event_id:4781

An attempt was made to set the Directory Services Restore Mode.

winlogbeat_event_id:4794

Credential Manager credentials were backed up.

winlogbeat_event_id:5376

Credential Manager credentials were restored from a backup.

winlogbeat_event_id:5377

Audit Computer Account Management

A computer account was created.

winlogbeat_event_id:4741

A computer account was changed.

winlogbeat_event_id:4742

A computer account was deleted.

winlogbeat_event_id:4743

Audit Security Group Management

A security-enabled group was created.

winlogbeat_event_id:(4727 AND 4731 AND 4754)

A member was added to a security-enabled group.

winlogbeat_event_id:(4728 AND 4732 AND 4756)

A member was removed from a security-enabled group.

winlogbeat_event_id:(4729 AND 4733 AND 4757)

A security-enabled global group was deleted.

winlogbeat_event_id:(4730 AND 4734 AND 4758)

Audit Directory Service

A directory service object was created.

winlogbeat_event_id:5137

A directory service object was modified.

winlogbeat_event_id:5136

A directory service object was moved.

winlogbeat_event_id:5139

A directory service object was deleted.

winlogbeat_event_id:5141

Winlogbeat Conf file

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["${user.host}:${user.port}"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - winadaudit
winlogbeat:
  event_logs:
  - name: Security
    processors:
        - drop_event.when.not.or:
            - equals.event_id: 4624
            - equals.event_id: 4625
            - equals.event_id: 4776
            - equals.event_id: 5136
            - equals.event_id: 5137
            - equals.event_id: 5138
            - equals.event_id: 5139
            - equals.event_id: 5141
            - equals.event_id: 4720
            - equals.event_id: 4723
            - equals.event_id: 4724
            - equals.event_id: 4725
            - equals.event_id: 4726
            - equals.event_id: 4767
            - equals.event_id: 4780
            - equals.event_id: 4781
            - equals.event_id: 4741
            - equals.event_id: 4742
            - equals.event_id: 4743
            - equals.event_id: 4727
            - equals.event_id: 4728
            - equals.event_id: 4729
            - equals.event_id: 4730
            - equals.event_id: 4730
            - equals.event_id: 4731
            - equals.event_id: 4732
            - equals.event_id: 4733
            - equals.event_id: 4754
            - equals.event_id: 4756
            - equals.event_id: 4757
            - equals.event_id: 4758
    ignore_older: 48h