Last active
July 16, 2020 11:15
-
-
Save eduardohki/fba4e53bc41af7ceb5cb34ef08d7d058 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Queries do AD no Graylog (NXLog) | |
| ================================ | |
| Mapear: | |
| Usuário – Criação, Exclusão, Modificação, Bloqueio e Desbloqueio. | |
| Computador - Criação, Exclusão, Modificação, Bloqueio e Desbloqueio. | |
| Grupos - Criação, Exclusão, Modificação, Alteração de membros. | |
| Logon – Tentativas falhas de Logon, Logons com sucesso. | |
| Categorias Filtradas: | |
| Directory Service Changes | |
| EventID: | |
| 5136 - A directory service object was modified. | |
| 5137 - A directory service object was created. | |
| 5138 - A directory service object was undeleted. | |
| 5139 - A directory service object was moved. | |
| Directory Service Access | |
| EventID | |
| 4662 - An operation was performed on an object. | |
| User Account Management | |
| EventID: | |
| 4720 - A user account was created. | |
| 4722 - A user account was enabled. | |
| 4723 - An attempt was made to change an account's password. | |
| 4724 - An attempt was made to reset an account's password. | |
| 4725 - A user account was disabled. | |
| 4726 - A user account was deleted. | |
| 4738 - A user account was changed. | |
| 4740 - A user account was locked out. | |
| 4765 - SID History was added to an account. | |
| 4766 - An attempt to add SID History to an account failed. | |
| 4767 - A user account was unlocked. | |
| 4780 - The ACL was set on accounts which are members of administrators groups. | |
| 4781 - The name of an account was changed: | |
| 4794 - An attempt was made to set the Directory Services Restore Mode. | |
| 5376 - Credential Manager credentials were backed up. | |
| 5377 - Credential Manager credentials were restored from a backup. | |
| Computer Account Management | |
| EventID: | |
| 4741 - A computer account was created. | |
| 4742 - A computer account was changed. | |
| 4743 - A computer account was deleted. | |
| Logon / Logoff | |
| EventID: | |
| 4624 - An account was successfully logged on. | |
| 4625 - An account failed to log on. | |
| 4634 - An account was logged off. | |
| 4647 - User initiated logoff. (Logoff do Windows em si) | |
| 4648 - A logon was attempted using explicit credentials. | |
| 4672 - Special privileges assigned to new logon. | |
| 4778 - A session was reconnected to a Window Station. | |
| 4768 - A Kerberos authentication ticket (TGT) was requested. | |
| 4769 - A Kerberos service ticket was requested. | |
| 4770 - A Kerberos service ticket was renewed. | |
| 4771 - Kerberos pre-authentication failed. | |
| 4774 - An account was mapped for logon. (IIS) | |
| 4776 - The domain controller attempted to validate the credentials for an account. | |
| Security Group Management | |
| EventID: | |
| 4727 - A security-enabled global group was created. | |
| 4731 - A security-enabled local group was created. | |
| 4754 - A security-enabled universal group was created. | |
| 4730 - A security-enabled global group was deleted. | |
| 4734 - A security-enabled local group was deleted. | |
| 4758 - A security-enabled universal group was deleted. | |
| 4764 - A group's type was changed. | |
| 4735 - A security-enabled local group was changed. | |
| 4737 - A security-enabled global group was changed. | |
| 4755 - A security-enabled universal group was changed. | |
| 4728 - A member was added to a security-enabled global group. | |
| 4729 - A member was removed from a security-enabled global group. | |
| 4732 - A member was added to a security-enabled local group. | |
| 4733 - A member was removed from a security-enabled local group. | |
| 4756 - A member was added to a security-enabled universal group. | |
| 4757 - A member was removed from a security-enabled universal group. | |
| Queries: | |
| [Sucessful Account Password Change] | |
| EventID:4723 AND SubjectAccountType:User AND EventType:AUDIT_SUCESS | |
| [Failed Account Password Change] | |
| EventID:4723 AND EventType:AUDIT_FAILURE | |
| [Account Lockouts] | |
| EventID:4740 | |
| [Account Unlocks] | |
| EventID:4767 | |
| [Group Creation] | |
| EventID:4727 OR EventID:4731 OR EventID:4754 | |
| [Account Deletion] | |
| EventID:4726 | |
| [AD Group Deletion] | |
| EventID:4730 OR EventID:4734 OR EventID:4758 | |
| [Group Modifications] | |
| ((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\-) | |
| [Changes] | |
| EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757 | |
| Exemplo de configuração do NXLog: | |
| ================================ | |
| define ROOT C:\Program Files (x86)\nxlog | |
| Moduledir %ROOT%\modules | |
| CacheDir %ROOT%\data | |
| Pidfile %ROOT%\data\nxlog.pid | |
| SpoolDir %ROOT%\data | |
| LogFile %ROOT%\data\nxlog.log | |
| <Extension gelf> | |
| Module xm_gelf | |
| ShortMessageLength -1 | |
| </Extension> | |
| <Input AuditoriaAD> | |
| Module im_msvistalog | |
| Query <QueryList> \ | |
| <Query Id="0"> \ | |
| <Select Path="Security">*[System[(EventID='5136')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='5137')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='5138')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='5139')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4662')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4720')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4722')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4723')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4724')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4725')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4726')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4738')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4740')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4765')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4766')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4767')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4780')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4781')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4794')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='5376')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='5377')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4741')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4742')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4743')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4624')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4625')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4634')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4647')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4648')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4672')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4778')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4768')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4769')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4770')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4771')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4774')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4776')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4727')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4731')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4754')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4730')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4734')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4758')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4764')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4735')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4737')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4755')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4728')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4729')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4732')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4733')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4756')]]</Select> \ | |
| <Select Path="Security">*[System[(EventID='4757')]]</Select> \ | |
| </Query> \ | |
| </QueryList> | |
| </Input> | |
| <Output Graylog> | |
| Module om_tcp | |
| Host graylog_server_address # Endereço do servidor Graylog | |
| Port 12205 # Porta do servidor Graylog | |
| OutputType GELF_TCP | |
| </Output> | |
| <Route 1> | |
| Path AuditoriaAD => Graylog | |
| </Route> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment