-
-
Save gentilkiwi/dcc132457408cf11ad2061340dcb53c2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sourcetype=XmlWinEventLog:Security AND EventCode=4662 AND NOT (SubjectUserSid="AUTORITE NT\\*" OR SubjectDomainName="Window Manager") | |
| ( | |
| (ObjectType="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR ObjectType="domainDNS") | |
| AND | |
| (Properties="*Replicating Directory Changes All*" OR Properties="*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*" OR Properties = "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*" OR Properties = "*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") | |
| ) | |
| | rename _time AS DSTime, SubjectUserSid AS DSUserSid, SubjectDomainName AS DSDomainName, SubjectUserName AS DSUserName, SubjectLogonId AS DSLogonId, ObjectType AS DSObjectType, ObjectName AS DSObjectName, Properties AS DSProperties status AS DSStatus | |
| | join type=left Computer, DSLogonId | |
| [ | |
| search sourcetype=XmlWinEventLog:Security AND EventCode=4624 NOT (TargetUserSid="AUTORITE NT\\*" OR TargetDomainName="Window Manager") | |
| | rename _time AS LogonTime, TargetLogonId AS DSLogonId | |
| ] | |
| | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(DSTime), ctime(LogonTime) | |
| | table DSTime, Computer, DSUserSid, DSDomainName, DSUserName, DSObjectType, DSObjectName, DSProperties, DSStatus, DSLogonId, LogonTime, AuthenticationPackageName, IpAddress, IpPort | |
| sourcetype="XmlWinEventLog:Security" AND EventCode=4742 AND NOT (SubjectUserSid="AUTORITE NT\\*" OR SubjectDomainName="Window Manager") | |
| AND (ServicePrincipalNames="*GC/*" OR ServicePrincipalNames="*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*") | |
| AND NOT (SubjectUserSid = "AUTORITE NT\\*") | |
| | rename _time AS CAMTime, SubjectUserSid AS CAMSubjectUserSid, SubjectDomainName AS CAMSubjectDomainName, SubjectUserName AS CAMSubjectUserName, SubjectLogonId AS CAMSubjectLogonId, TargetSid AS CAMTargetSid, TargetDomainName AS CAMTargetDomainName, TargetUserName AS CAMTargetUserName, ServicePrincipalNames AS CAMServicePrincipalNames | |
| | join type=left Computer, CAMSubjectLogonId | |
| [ | |
| search sourcetype=XmlWinEventLog:Security AND EventCode=4624 NOT (TargetUserSid="AUTORITE NT\\*" OR TargetDomainName="Window Manager") | |
| | rename _time AS LogonTime, TargetLogonId AS CAMSubjectLogonId | |
| ] | |
| | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(CAMTime), ctime(LogonTime) | |
| | table CAMTime, CAMSubjectUserSid, CAMSubjectDomainName, CAMSubjectUserName, CAMTargetSid, CAMTargetDomainName, CAMTargetUserName, CAMServicePrincipalNames, CAMSubjectLogonId, LogonTime, AuthenticationPackageName, IpAddress, IpPort |
The use of 4662 events has two prerequisites:
- The logging hosts (All DCs, in this case) must have the following set in its auditing config: DS Access -> Audit Directory Service Access: Success and Failure
- The AD objects to be monitored (Which, I'm sorry, but I'm unclear exactly which objects must have this ACL applied) must have an Audit ACL applied. Further Question: Do these ACLs need to log all read or write access by anyone at all, or do we just care about write access, or possibly just from a restricted set of users?
Please (Pretty Please? :-))add a description of the exact configuration required to enable the necessary logging.
Thanks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Be aware that you might have to change AUTORITE NT and filter out DC$ accounts and others particularities
"join" is limited by the product and does not work as expected in SQL 😞