Configure SCOM to monitor changes to security groups

The security team have a new audit requirement to monitor changes to critical AD groups (Domain Admins etc). Does the AD MP monitor this, and if not does anyone know how I could configure SCOM to do so?

1 Like

We’ve been using a simple Eventlog Rule for critical groups adds / removes. Targeted at Active Directory Domain Controller Computer Role (or a specific DC):

Log: Security

Expression:

AND

EventID Equals 4728 (for Adds β€” 4729 for Removes)

OR GROUP

Parameter 3 Equals Group1

Parameter 3 Equals Group2

etc

2 Likes

A bit more info regarding the event rule monitor solution:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/b3a7dc9c-3571-4275-8e24-2655e5fb9612/monitor-active-directory-group-changes?forum=winserverDS

You should check out this: https://blogs.technet.microsoft.com/nathangau/2017/05/01/introducing-the-security-monitoring-management-pack-for-scom/. This includes security group monitoring and other security checks.

I’m struggling with how to present this data in Squared UP. Has anyone figured out the right criteria in a tile to display for example when someone gets added to the domain admins group? I’ve confirmed the alerts are in the SCOM DW using a SQL query as eventids 4728. I tried this but it’s showing nothing:

Β 

AlertParams LIKE β€˜%CORPORATE\Domain Admins%’ OR Description LIKE β€˜%CORPORATE\Domain Admins%’

Β 

even tried:

Β 

(AlertParams LIKE β€˜%CORPORATE\Domain Admins%’ OR Description LIKE β€˜%CORPORATE\Domain Admins%’) AND (AlertParams LIKE β€˜%4728%’ OR Description LIKE β€˜%4728%’ )