Important Event Logs In AD
To audit Active Directory group memberships changes, you must first ensure those changes are recorded somewhere. By default, many important events are not recorded in the event log. To tell Windows to store important Active Directory group membership changes, you must define an audit policy.
Important event logs in AD
An audit policy creates a set of rules that tells Windows and other services to record certain events to the Windows event log it; by default, it would not. Once created, you must then assign the audit policy via Group Policy to target machines (domain controllers in this case).
When modifying an Active Directory group, you will see one of three different events logged in the Security event log depending on the type of group modified; 4728 for a global group, 4732 for a domain-local group, and 4756 for a universal group.
2. Run the Get-WinEvent cmdlet to query the Security event log looking for all events with the ID of 4756, as shown below. This command will return all group membership change events for universal groups.
Active Directory plays a major role in todays networks. It is very important that is properly configured and secured and that provides high availability in case of failure of one or more servers. If bad guys compromised our Active Directory, our network and all services that are integrated with Active Directory might be comprised, too. That is the last thing we want to experience. There are different security mechanisms that can help us to harden our Active Directory servers and mitigate security risk, but also to monitor what is happening inside and outside of the Active Directory environment.
Many security compromises could be discovered early in the event logs. The 2012 Verizon Data Breach Report found that even though 85 percent of breaches took several weeks to be noticed, 84 percent of victims had evidence of the breach in their event logs. This article is about monitoring event logs which can lead us to potential security problems. Here is the story I want to share with you: if trusted domain information was modified or system audit policy was changed > Active Directory will generate event ID 620 and 612 > store it to the corresponding log file > the monitoring software will capture it and inform the IT Team to act immediately. These two IDs are just an example, Active Directory can generate way more events which will be covered in the next part of the article. There are dozens of monitoring solutions that can be used to monitor event logs, but the one I recommend is PRTG Network Monitor. Besides the monitoring of event logs, PRTG can also monitor the complete infrastructure by using different protocols.
In the table below you can find a list of some events that might be generated by your Active Directory server(s). The Current Windows Event ID column lists the events ID in the supported version of Windows Servers, and the Legacy Windows Event ID is related to legacy Windows Servers, such as Windows Server 2003. I hope the legacy list will not be related to your case, but if yes, please update your Windows Servers to the latest version available.
There are three potential criticalities including high, medium and low. According to Microsoft, a potential criticality of High means that one occurrence of the event should be investigated. Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time.
Note: All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of High may occur due to other harmless events.
Two PRTG sensors that can be used to monitor event logs are the WMI Event Log sensor and the Windows API Event Log sensor. The WMI Event Log sensor monitors a specific Windows logfile via Windows Management Instrumentation (WMI). The Event Log (Windows API) sensor monitors Event Log entries using the Windows application programming interface (API).
In the second step, you will need to choose one of the event log sensors and add it to your device. The initial configuration of the sensor is straightforward, choose Logfile Security and then enable Filter by ID and add the event ID in field Match Values (Event ID), as shown in the screenshot below. In this case, PRTG will scan ID 4719 which is related to any system audit policy change. PRTG will check target ID every 60 seconds (default interval, can be adjusted).
Your sensor is added. In order to get the notification in case of new event entries, you will need to create a notification trigger. Navigate to the sensor, click on Notification Triggers and add Change Trigger. In my case, if sensors get new entries, PRTG will send a notification to the Active Directory team by using notification template Inform Active Directory Team via ticketing system, email, SMS, push notification, or others.
Repeat the procedure for other event IDs. Please note that by using Event Log (Windows API) you can enter a comma-separated list of event IDs to add more than one ID to the filter. You can configure notifications for several event sensors by using Multi-Edit or Libraries.
The event clearly showed that the audit policy was changed and who did it, but I needed to be satisfied that we could not get the needed information some other way before logging a case with Microsoft. This is important, as it allows me to demonstrate the powerful Event Viewer features like custom views and sorting/saving filters for Windows Server 2008 R2. Verbose auditing dumps an incredible number of events to the security log with object auditing enabled. With the old Event Viewer, it would be very difficult to sort through these events to get what you want.
Note that while various combinations of auditing can produce some events, there is still no event logged, specifying that the audit policy changed for directory objects. Non-directory objects (files, folders, etc.) log Event ID 4907.
Attempting to sort in the full security log took an incredibly long time; the Custom View filter took only a second or two. Of course the danger is that if you fail to include a necessary event in the filter, it will not show up in the filtered view. In my case I started with a filter for the last hour to limit the events, then found the events that related to my audit and added them to the Event ID field in the filter. As you can see in Figure 5, I have defined a number of custom views for various purposes and they are always available for use.
Another feature I used was the Copy Details to Text feature. To get the details for Event ID 4738 (shown in text above), I would have had to take several screen shots as the information scrolled in the event. In the Windows Server 2008 Event Viewer, just right-click on the event in the list, select Copy > Copy Details as Text and paste it into something like Notepad. This will display all the information for documentation purposes.
Now suppose you wanted to examine all the events for a time period -- say from 8 a.m. to 5 p.m. -- and needed to send those events to a support engineer or just wanted to work on a smaller file. You could simply select the desired events in the Event Viewer, right-click and select Save Selected Events and specify where you wanted it saved (Figure 6). This will make a small event log of just those events, making troubleshooting much simpler and easily transportable.
The new features in the Windows Server 2008 Event Viewer provides great flexibility and powerful filtering not available in previous versions. This allows for excellent data reports to aid in the troubleshooting process. It also helps administrators quickly identify crucial events without wading through a sea of logs to find the ones that are related to the problem.
When you are configuring your event log monitor settings, you need to decide which event log events you need to worry about. Event logs are generated for a wide array of processes, applications, and events. Logs will record both successes and failures. As such, you need to decide what data is most vital and needs your immediate attention.
The types of events you should be worried about are warnings, errors, or failures. These all indicate something is wrong. In some cases, they could even mean a potential hack and data breach. You need to develop an event log monitoring and audit plan to decide which events you want to configure, which ones are important, when to be alerted, and how alerts are delivered.
Keep in mind, there can be other types of events you will want to monitor, such as changes to user permissions, new account creation, account deletion, erasing of event logs, policy changes in AD, etc. These types of events could indicate you have a hacker or malware on your network.
The easiest way to configure your servers, monitor events, and customize what types of events you want to record, track, and be alerted to is to use PA Server Monitor. This monitoring software makes it easy to quickly set up monitoring.
Event Viewer is the native solution for reviewing security logs. It is free and included in the administrative tools package of every Microsoft Windows system. After you enable Active Directory auditing, Windows Server writes events to the Security log on the domain controller. The security event log registers the following information:
Moreover, the native auditing solutions do not provide the complete visibility you need. The data is hard to read due to lack of formatting and the cryptic descriptions. On top of that, the event log search is slow: Even with default log size, you will have to spend significant time waiting for the search to finish, which will delay your threat response.