zabbix_export: version: '6.0' date: '2021-11-21T21:39:16Z' groups: - uuid: b9390195ecad4986968746a2a9b56354 name: 'My Templates' templates: - uuid: 89ce3597149b4bd986a3ae02fc862070 template: 'AD DS Monitoring and Attack Detection' name: 'AD DS Monitoring and Attack Detection' description: | ## Overview **Template based on MS document "Best Practices for Securing Active Directory"** Items & Triggers A monitored security event pattern has occurred. A replay attack was detected. May be a harmless false positive due to misconfiguration error. System audit policy was changed. SID History was added to an account. An attempt to add SID History to an account failed. An attempt was made to set the Directory Services Restore Mode. Role separation enabled: Special groups have been assigned to a new logon. A security setting was updated on the OCSP Responder Service Possible denial-of-service (DoS) attack The audit log was cleared Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. SIDs were filtered. Backup of data protection master key was attempted. Recovery of data protection master key was attempted. A new trust was created to a domain. Kerberos policy was changed. Encrypted data recovery policy was changed. The audit policy (SACL) on an object was changed. Trusted domain information was modified. An attempt was made to reset an account’s password. groups: - name: 'My Templates' items: - uuid: 33573c0f8f204c769e4f76df36c5a193 name: 'Windows Security (ID1102)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^1102$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'The audit log was cleared.' tags: - tag: Application value: 'Security events' triggers: - uuid: 185aea205c1d44a59319d0c1782b0830 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^1102$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^1102$],600s)=0' name: 'The audit log was cleared.' priority: HIGH description: 'The audit log was cleared.' - uuid: d16269d4fd1643a3a757cbdce60dd465 name: 'Windows Security (ID4618)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4618$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'A monitored security event pattern has occurred.' tags: - tag: Application value: 'Security events' triggers: - uuid: f408b5f6ec734930922184e8e0c99cd8 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4618$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4618$],600s)=0' name: 'A monitored security event pattern has occurred.' priority: HIGH description: 'A monitored security event pattern has occurred.' - uuid: 046a62e2ca024291b8d9f67693394c48 name: 'Windows Security (ID4621)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4621$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.' tags: - tag: Application value: 'Security events' triggers: - uuid: b6d72d415ab44860bd270e33a87573bf expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4621$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4621$],600s)=0' name: 'Administrator recovered system from CrashOnAuditFail.' priority: AVERAGE description: 'Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.' - uuid: ed687d6177da4b20b9743058b18c9386 name: 'Windows Security (ID4649)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4649$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'A replay attack was detected. May be a harmless false positive due to misconfiguration error.' tags: - tag: Application value: 'Security events' triggers: - uuid: 6da449d5ad134d858af9ddd7471949e7 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4649$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4649$],600s)=0' name: 'A replay attack was detected. May be a harmless false positive due to misconfiguration error.' priority: HIGH description: 'A replay attack was detected. May be a harmless false positive due to misconfiguration error.' - uuid: 1810b6b6320240d383d501ca61cf275b name: 'Windows Security (ID4675)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4675$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'SIDs were filtered.' tags: - tag: Application value: 'Security events' triggers: - uuid: eb45923767fe450aa47dcfe3eb2213bf expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4675$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4675$],600s)=0' name: 'SIDs were filtered.' priority: AVERAGE description: 'SIDs were filtered.' - uuid: e7a7d48236c847dca4032645268abf8f name: 'Windows Security (ID4692)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4692$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Backup of data protection master key was attempted.' tags: - tag: Application value: 'Security events' triggers: - uuid: eeaade36a89c47bfbbd92ee2ad4e71f5 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4692$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4692$],600s)=0' name: 'Backup of data protection master key was attempted.' priority: AVERAGE description: 'Backup of data protection master key was attempted.' - uuid: a21ab5f1630145f19b87e78a531ca074 name: 'Windows Security (ID4693)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4693$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Recovery of data protection master key was attempted.' tags: - tag: Application value: 'Security events' triggers: - uuid: 3d8744411ebb41ea9c305b732e3fd9f2 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4693$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4693$],600s)=0' name: 'Recovery of data protection master key was attempted.' priority: AVERAGE description: 'Backup of data protection master key was attempted.' - uuid: 0983d27e871145fe9f7e4d0e391de4a7 name: 'Windows Security (ID4706)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4706$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'A new trust was created to a domain.' tags: - tag: Application value: 'Security events' triggers: - uuid: d32365ca7f514bcba4fd7e2bb958a975 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4706$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4706$],600s)=0' name: 'A new trust was created to a domain.' priority: AVERAGE description: 'A new trust was created to a domain.' - uuid: ac64ad065d3d43618232465f997326d0 name: 'Windows Security (ID4713)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4713$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Kerberos policy was changed.' tags: - tag: Application value: 'Security events' triggers: - uuid: 13a6953f2a7646bda6f639d7c3f66096 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4713$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4713$],600s)=0' name: 'Kerberos policy was changed.' priority: AVERAGE description: 'Kerberos policy was changed.' - uuid: a6ff13b0a71e496392347c07b842b3d9 name: 'Windows Security (ID4714)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4714$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Encrypted data recovery policy was changed.' tags: - tag: Application value: 'Security events' triggers: - uuid: b41f1b71f7184efabd8bc6856651e485 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4714$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4714$],600s)=0' name: 'Encrypted data recovery policy was changed.' priority: AVERAGE description: 'Encrypted data recovery policy was changed.' - uuid: 0e21e50c3897472f9e6fa3d9c2ccc016 name: 'Windows Security (ID4715)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4715$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'The audit policy (SACL) on an object was changed.' tags: - tag: Application value: 'Security events' triggers: - uuid: 7915f689be6d47ac8f2e6490b43840b7 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4715$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4715$],600s)=0' name: 'The audit policy (SACL) on an object was changed.' priority: AVERAGE description: 'The audit policy (SACL) on an object was changed.' - uuid: 1ac54e2aa17545a085a6a16c47968402 name: 'Windows Security (ID4716)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4716$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Trusted domain information was modified.' tags: - tag: Application value: 'Security events' triggers: - uuid: b7541e370e6f4b9da560e06689b1277e expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4716$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4716$],600s)=0' name: 'Trusted domain information was modified.' priority: AVERAGE description: 'Trusted domain information was modified.' - uuid: d85961cb2a6243d8b37ae5637b119913 name: 'Windows Security (ID4719)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4719$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'System audit policy was changed.' tags: - tag: Application value: 'Security events' triggers: - uuid: 2c0f82f99d354dadbe78baaec144ca83 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4719$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4719$],600s)=0' name: 'System audit policy was changed.' priority: HIGH description: 'System audit policy was changed.' - uuid: 5ee1feecddba4a6091b33bb87ac303e7 name: 'Windows Security (ID4765)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4765$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'SID History was added to an account.' tags: - tag: Application value: 'Security events' triggers: - uuid: a487677ce69a4413ac546d1833f51fab expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4765$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4765$],600s)=0' name: 'SID History was added to an account.' priority: HIGH description: 'SID History was added to an account.' - uuid: 1d834f4c207b4475b757614288034d12 name: 'Windows Security (ID4766)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4766$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'An attempt to add SID History to an account failed.' tags: - tag: Application value: 'Security events' triggers: - uuid: c94eebe949af4d709ac3af264620ded8 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4766$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4766$],600s)=0' name: 'An attempt to add SID History to an account failed.' priority: HIGH description: 'An attempt to add SID History to an account failed.' - uuid: ebe785f574c34355a804fde24f0696c5 name: 'Windows Security (ID4794)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4794$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'An attempt was made to set the Directory Services Restore Mode.' tags: - tag: Application value: 'Security events' triggers: - uuid: a0ea0b45172349098afd703272107c7c expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4794$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4794$],600s)=0' name: 'An attempt was made to set the Directory Services Restore Mode.' priority: HIGH description: 'An attempt was made to set the Directory Services Restore Mode.' - uuid: fb338de56acc4806b36e83b784e40fd6 name: 'Windows Security (ID4897)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4897$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Role separation enabled.' tags: - tag: Application value: 'Security events' triggers: - uuid: f52470d0cd5a4d9bba7b75aa0b463fa6 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4897$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4897$],600s)=0' name: 'Role separation enabled.' priority: HIGH description: 'Role separation enabled.' - uuid: ffafab1a7bbc431dad40bc8e0c6c8615 name: 'Windows Security (ID4964)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^4964$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'Special groups have been assigned to a new logon.' tags: - tag: Application value: 'Security events' triggers: - uuid: 90304dde61524c9bbbc947e2f7dc1c2d expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4964$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^4964$],600s)=0' name: 'Special groups have been assigned to a new logon.' priority: HIGH description: 'Special groups have been assigned to a new logon.' - uuid: 4803301328a94f6184cfe2376788ee57 name: 'Windows Security (ID5124)' type: ZABBIX_ACTIVE key: 'eventlog[Security,,,,^5124$]' delay: 5m history: 1w trends: '0' value_type: LOG description: 'A security setting was updated on the OCSP Responder Service.' tags: - tag: Application value: 'Security events' triggers: - uuid: 1c72af6be4e940c1b18e4069e60d2a88 expression: 'logseverity(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5124$])>1 and nodata(/AD DS Monitoring and Attack Detection/eventlog[Security,,,,^5124$],600s)=0' name: 'A security setting was updated on the OCSP Responder Service' priority: HIGH description: 'A security setting was updated on the OCSP Responder Service'