Select Page

How to Track Active Directory Account and Group Membership Changes?

Audit Active Directory Account and Group Membership Changes To Azure Sentinel

Currently Microsoft Azure Sentinel does not ingest Active Directory User Account and Group Membership changes and audit. 

The recent connector “Security Events” is built in to ingest event id’s for the above mentioned activities, yet it still has to be enabled in the DC first as by default it is disabled.

Current Common Event ID’s ingested with Security Events connector:

Common1, 299, 300, 324, 340, 403, 404, 410, 411, 412, 413, 431, 500, 501, 1100, 1102, 1107, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4634, 4647, 4648, 4649, 4657, 4661, 4662, 4663, 4665, 4666, 4667, 4688, 4670, 4672, 4673, 4674, 4675, 4689, 4697, 4700, 4702, 4704, 4705, 4716, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4733, 4732, 4735, 4737, 4738, 4739, 4740, 4742, 4744, 4745, 4746, 4750, 4751, 4752, 4754, 4755, 4756, 4757, 4760, 4761, 4762, 4764, 4767, 4768, 4771, 4774, 4778, 4779, 4781, 4793, 4797, 4798, 4799, 4800, 4801, 4802, 4803, 4825, 4826, 4870, 4886, 4887, 4888, 4893, 4898, 4902, 4904, 4905, 4907, 4931, 4932, 4933, 4946, 4948, 4956, 4985, 5024, 5033, 5059, 5136, 5137, 5140, 5145, 5632, 6144, 6145, 6272, 6273, 6278, 6416, 6423, 6424, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222, 26401, 30004

For more documentation visit:

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events

To Enable Auditing in Active directory follow the following steps:

Step 1: Enable Active Directory Auditing through Group Policy

  1. Type GPMC.MSC  “Run” box and press “Enter.” The “Group Policy Management” console opens.
  2. Go to “Forest” → “Domains” → “domain.com” in the left panel.
  3. Right-click the “Default Domain Policy” or any customized domain-wide policy. (However, we recommend you to create a new GPO, link it to the domain, and edit it).
  4. Select “Edit” to access “Group Policy Management Editor.”

Next, navigate to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policies”. 

Figure 1: Group Policy Management Editor
  1. Management and access properties.
  2. Click to select “Define these policy settings” option.
  3. Select both “Success” and “Failure” checkbox to enable audit policy for monitoring successful events.
  4. Now, close “Group Policy Management Editor”.
  5. After closing it, you will be back at “Group Policy Management Console”. Select the GPO that you have modified.
  6. In the “Security” filtering section in the right pane, click “Add” to apply this GPO to all objects of Active Directory. Type “Everyone” in the dialog box that opens up. Click “Check Names” and “OK” to add the value.
  7. Close “Group Policy Management Console”.
  8. It is recommended to update the Group Policy instantly so that new changes can be applied to the entire domain. Run the following command at the Command Prompt or in the “Run” box to update the Group Policies on all domain controllers.
    gpupdate /force

Step 2: Enable Auditing of Active Directory through ADSI edit

  1. In “Start Menu” or in “Control Panel”,“Administrative Tools” and open “ADSI Edit.”
  2. Right-click ADSI Edit node in the left panel and select “Connect To”.

In “Connection Settings” window, select “Default Naming Context” in the drop-down menu of selecting a well-known Naming Context.

Figure 2: Connection Settings for ADSI Edit
  1. Click “OK” to establish the connection to the Default Naming Context of the domain. It is displayed in the left tree pane, just below the top ADSI Edit node.
  2. Expand “Default Naming Context [dc.www.doamin.com]” and access the top node under it.
  3. Right-click this top node having the fully qualified domain name and click “Properties” in the context menu.
  4. In the properties, switch to “Security” tab and click “Advanced” button to access “Advanced Security Settings for www”.

Switch to “Auditing” tab and click “Add” button to add a new auditing entry. It shows “Auditing Entry for www” window on the screen.

 

Figure 3: Auditing Entry window

  1. Click “Select a principal” to add“Everyone”.
  2. Select type as “Success” and applies to as “This object and descendant objects.”
  3. Under “Permissions,” select all check boxes by clicking “Full Control,” except following permissions.
    • Full Control
    • List contents
    • Read all properties
    • Read permissions
  4. Click “OK”.

Step 3: Track Group Membership changes through Event Viewer

  1. To track the changes in Active Directory, open “Windows Event Viewer,” go to “Windows logs” → “Security.” Use the “Filter Current Log” in the right pane to find relevant events.
    The following are some of the events related to group membership changes.

Event ID 4727 indicates a Security Group is created.  

Figure 4: A security-enabled group is created

The following screenshot shows more detail of this event.
 

Figure 5: Showing details. Test Group 1 is created.

  • Event ID 4728 indicates a ‘Member is added to a Security Group’.
  • Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’.

Event ID 4730 indicates a ‘Security Group is deleted’.
The following screenshot filters all events related to changes in Active Directory Group Memberships.
 

Figure 6: Different events visible in the Event Viewer

About me

Samant is an Microsoft Security Consultant currently working at Softlanding in Vancouver, Ca. Microsoft Certified DevOPS Engineer and Microsoft Certified O365 Enterprise Administrator Expert. Carry extensive experience working with Microsoft Security Stack with clients ranging from small to large scale. Proficient in deploying, managing, tuning and analysing Microsoft Azure Sentinel as a SIEM and a SOAR, Microsoft Defender ATP, Azure ATP and Microsoft Cloud App Security.
Built and created automations around deploying and managing of infrastructure, security, cloud with powershell, python, java script and REST API.

Following are the Certifications: 

How to Deploy Anti-Ransomware Kill Switch on File Server

Login To the file server as admin. Open Server Manager and install the File server Resource Manager role if not installed. After installing Reboot the server. Once up, open powershell as admin and run the following script. # DeployCryptoBlocker.ps1 # Version: 1.1...

Azure Sentinel Training- Sentinel SIEM- A Complete Guide

Table of Contents Introduction What is SIEM and SOAR?  What is Azure Sentinel? Azure Sentinel Pricing Log Analytics and Azure Sentinel Overview Deep Dive and Deployment Workspace Data Connectors Analytics Rules Hunting Rules Workbooks Automation Threat Intelligence...

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

How to Deploy Anti-Ransomware Kill Switch on File Server

How to Deploy Anti-Ransomware Kill Switch on File Server

Login To the file server as admin. Open Server Manager and install the File server Resource Manager role if not installed. After installing Reboot the server. Once up, open powershell as admin and run the following script. # DeployCryptoBlocker.ps1 # Version: 1.1...

Azure Sentinel Training- Sentinel SIEM- A Complete  Guide

Azure Sentinel Training- Sentinel SIEM- A Complete Guide

Table of Contents Introduction What is SIEM and SOAR?  What is Azure Sentinel? Azure Sentinel Pricing Log Analytics and Azure Sentinel Overview Deep Dive and Deployment Workspace Data Connectors Analytics Rules Hunting Rules Workbooks Automation Threat Intelligence...

Let’s Learn Together

If you are facing any issues or roadblocks and need assistance in troubleshooting  the issue, feel free to leave a message.