5.02021-11-21T21:39:15ZMy TemplatesAD DS Monitoring and Attack DetectionAD DS Monitoring and Attack Detection## Overview
**Template based on MS document "Best Practices for Securing Active Directory"**
Items & Triggers
A monitored security event pattern has occurred.
A replay attack was detected. May be a harmless false positive due to misconfiguration error.
System audit policy was changed.
SID History was added to an account.
An attempt to add SID History to an account failed.
An attempt was made to set the Directory Services Restore Mode.
Role separation enabled:
Special groups have been assigned to a new logon.
A security setting was updated on the OCSP Responder Service
Possible denial-of-service (DoS) attack
The audit log was cleared
Administrator recovered system from CrashOnAuditFail.
Users who are not administrators will now be allowed to log on.
Some auditable activity might not have been recorded.
SIDs were filtered.
Backup of data protection master key was attempted.
Recovery of data protection master key was attempted.
A new trust was created to a domain.
Kerberos policy was changed.
Encrypted data recovery policy was changed.
The audit policy (SACL) on an object was changed.
Trusted domain information was modified.
An attempt was made to reset an account’s password.
My TemplatesSecurity events- Windows Security (ID1102)ZABBIX_ACTIVEeventlog[Security,,,,^1102$]5m1w0LOGThe audit log was cleared.Security events{logseverity(0)}>1 and {nodata(600)}=0The audit log was cleared.HIGHThe audit log was cleared.
- Windows Security (ID4618)ZABBIX_ACTIVEeventlog[Security,,,,^4618$]5m1w0LOGA monitored security event pattern has occurred.Security events{logseverity(0)}>1 and {nodata(600)}=0A monitored security event pattern has occurred.HIGHA monitored security event pattern has occurred.
- Windows Security (ID4621)ZABBIX_ACTIVEeventlog[Security,,,,^4621$]5m1w0LOGAdministrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.Security events{logseverity(0)}>1 and {nodata(600)}=0Administrator recovered system from CrashOnAuditFail.AVERAGEAdministrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
- Windows Security (ID4649)ZABBIX_ACTIVEeventlog[Security,,,,^4649$]5m1w0LOGA replay attack was detected. May be a harmless false positive due to misconfiguration error.Security events{logseverity(0)}>1 and {nodata(600)}=0A replay attack was detected. May be a harmless false positive due to misconfiguration error.HIGHA replay attack was detected. May be a harmless false positive due to misconfiguration error.
- Windows Security (ID4675)ZABBIX_ACTIVEeventlog[Security,,,,^4675$]5m1w0LOGSIDs were filtered.Security events{logseverity(0)}>1 and {nodata(600)}=0SIDs were filtered.AVERAGESIDs were filtered.
- Windows Security (ID4692)ZABBIX_ACTIVEeventlog[Security,,,,^4692$]5m1w0LOGBackup of data protection master key was attempted.Security events{logseverity(0)}>1 and {nodata(600)}=0Backup of data protection master key was attempted.AVERAGEBackup of data protection master key was attempted.
- Windows Security (ID4693)ZABBIX_ACTIVEeventlog[Security,,,,^4693$]5m1w0LOGRecovery of data protection master key was attempted.Security events{logseverity(0)}>1 and {nodata(600)}=0Recovery of data protection master key was attempted.AVERAGEBackup of data protection master key was attempted.
- Windows Security (ID4706)ZABBIX_ACTIVEeventlog[Security,,,,^4706$]5m1w0LOGA new trust was created to a domain.Security events{logseverity(0)}>1 and {nodata(600)}=0A new trust was created to a domain.AVERAGEA new trust was created to a domain.
- Windows Security (ID4713)ZABBIX_ACTIVEeventlog[Security,,,,^4713$]5m1w0LOGKerberos policy was changed.Security events{logseverity(0)}>1 and {nodata(600)}=0Kerberos policy was changed.AVERAGEKerberos policy was changed.
- Windows Security (ID4714)ZABBIX_ACTIVEeventlog[Security,,,,^4714$]5m1w0LOGEncrypted data recovery policy was changed.Security events{logseverity(0)}>1 and {nodata(600)}=0Encrypted data recovery policy was changed.AVERAGEEncrypted data recovery policy was changed.
- Windows Security (ID4715)ZABBIX_ACTIVEeventlog[Security,,,,^4715$]5m1w0LOGThe audit policy (SACL) on an object was changed.Security events{logseverity(0)}>1 and {nodata(600)}=0The audit policy (SACL) on an object was changed.AVERAGEThe audit policy (SACL) on an object was changed.
- Windows Security (ID4716)ZABBIX_ACTIVEeventlog[Security,,,,^4716$]5m1w0LOGTrusted domain information was modified.Security events{logseverity(0)}>1 and {nodata(600)}=0Trusted domain information was modified.AVERAGETrusted domain information was modified.
- Windows Security (ID4719)ZABBIX_ACTIVEeventlog[Security,,,,^4719$]5m1w0LOGSystem audit policy was changed.Security events{logseverity(0)}>1 and {nodata(600)}=0System audit policy was changed.HIGHSystem audit policy was changed.
- Windows Security (ID4765)ZABBIX_ACTIVEeventlog[Security,,,,^4765$]5m1w0LOGSID History was added to an account.Security events{logseverity(0)}>1 and {nodata(600)}=0SID History was added to an account.HIGHSID History was added to an account.
- Windows Security (ID4766)ZABBIX_ACTIVEeventlog[Security,,,,^4766$]5m1w0LOGAn attempt to add SID History to an account failed.Security events{logseverity(0)}>1 and {nodata(600)}=0An attempt to add SID History to an account failed.HIGHAn attempt to add SID History to an account failed.
- Windows Security (ID4794)ZABBIX_ACTIVEeventlog[Security,,,,^4794$]5m1w0LOGAn attempt was made to set the Directory Services Restore Mode.Security events{logseverity(0)}>1 and {nodata(600)}=0An attempt was made to set the Directory Services Restore Mode.HIGHAn attempt was made to set the Directory Services Restore Mode.
- Windows Security (ID4897)ZABBIX_ACTIVEeventlog[Security,,,,^4897$]5m1w0LOGRole separation enabled.Security events{logseverity(0)}>1 and {nodata(600)}=0Role separation enabled.HIGHRole separation enabled.
- Windows Security (ID4964)ZABBIX_ACTIVEeventlog[Security,,,,^4964$]5m1w0LOGSpecial groups have been assigned to a new logon.Security events{logseverity(0)}>1 and {nodata(600)}=0Special groups have been assigned to a new logon.HIGHSpecial groups have been assigned to a new logon.
- Windows Security (ID5124)ZABBIX_ACTIVEeventlog[Security,,,,^5124$]5m1w0LOGA security setting was updated on the OCSP Responder Service.Security events{logseverity(0)}>1 and {nodata(600)}=0A security setting was updated on the OCSP Responder ServiceHIGHA security setting was updated on the OCSP Responder Service