Alert when - Additions to critical Active Directory groups such as Domain Admins, Enterprise Admins, Key Management Groups, Network Administrators, Security Administrators, Remote Access are performed and ensure an authorization for the access is present.
I also want to set up an Alert when - local administrative accounts are created. Could someone help me on this?
Hi, We have a search running that does the same thing. Here is the base for it, add in any other groups you need to.
Or, convert it to use a lookup table of AD Groups instead,
index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4728 (Target_User_Name="Domain Admins" OR Target_User_Name="Enterprise Admins" OR Target_User_Name="DHCP Administrators" OR Target_User_Name="DNSAdmins" OR Target_User_Name="Schema Admins" OR Target_User_Name="Cert Publishers")