locked
Logging custom events (ie 4662) to trigger alerts RRS feed

  • Question

  • Can we customise the event forwarding to include additional triggers?

    IE if we were to use LAPS to manage password changes on local machines, we can trigger a 'sensitive attribute' event id that logs access to sensitive AD attributes? It would be useful to show this level of sensitive access in ATA (along with changes to sensitive groups)

    LAPS: https://blogs.msdn.microsoft.com/laps/2015/06/01/laps-and-password-storage-in-clear-text-in-ad/

    I appreciate this is straying away from DC traffic, but does loosely fall under threat analytics :D

    Tuesday, May 17, 2016 12:51 PM

All replies

  • Hi,

    the only supported event for forwarding is 4776. ATA automatically reads the events on the DC itself and others if you have a normal GW.

    Regards

    Wednesday, May 18, 2016 4:50 AM
  • That is wrong, you need to set up event collection even with normal GW, as GW and LGW can only read forwarded events for the time being. 
    Wednesday, May 18, 2016 6:20 AM
  • Going back to the original question,  can ATA provide any visibility into read activity against the ms-Mcs-AdmPwd attribute?   At least in our environment, access of more than one password attribute per hour(or even day) would be pretty unusual.

    It's my understanding that the ms-Mcs-AdmPwd attribute access isn't audited, so ATA's LDAP access would seem to give it a uniquely good vantage point.


    Friday, March 30, 2018 1:01 PM