The security team have a new audit requirement to monitor changes to critical AD groups (Domain Admins etc). Does the AD MP monitor this, and if not does anyone know how I could configure SCOM to do so?
1 Like
We’ve been using a simple Eventlog Rule for critical groups adds / removes. Targeted at Active Directory Domain Controller Computer Role (or a specific DC):
Log: Security
Expression:
AND
EventID Equals 4728 (for Adds — 4729 for Removes)
OR GROUP
Parameter 3 Equals Group1
Parameter 3 Equals Group2
etc
2 Likes
A bit more info regarding the event rule monitor solution:
You should check out this: https://blogs.technet.microsoft.com/nathangau/2017/05/01/introducing-the-security-monitoring-management-pack-for-scom/. This includes security group monitoring and other security checks.
I’m struggling with how to present this data in Squared UP. Has anyone figured out the right criteria in a tile to display for example when someone gets added to the domain admins group? I’ve confirmed the alerts are in the SCOM DW using a SQL query as eventids 4728. I tried this but it’s showing nothing:
AlertParams LIKE ‘%CORPORATE\Domain Admins%’ OR Description LIKE ‘%CORPORATE\Domain Admins%’
even tried:
(AlertParams LIKE ‘%CORPORATE\Domain Admins%’ OR Description LIKE ‘%CORPORATE\Domain Admins%’) AND (AlertParams LIKE ‘%4728%’ OR Description LIKE ‘%4728%’ )