Monitor AD group change with OSSEC
932 views
Skip to first unread message
Carlton Whitmore
Sep 15, 2014, 12:45:41 PM9/15/14
to securit...@googlegroups.com
I have OSSEC agent installed and running on my Domain Controller (Windows 2008 R2).
I'd like to setup OSSEC to monitor an Active Directory group and notify me via email and on the console when that group is changed, but I can't find the info in the OSSEC docs. Can somoene help?
Setup is Standalone with one sensor.
I'd like to setup OSSEC to monitor an Active Directory group and notify me via email and on the console when that group is changed, but I can't find the info in the OSSEC docs. Can somoene help?
Setup is Standalone with one sensor.
Doug Burks
Sep 15, 2014, 4:22:41 PM9/15/14
to securit...@googlegroups.com
Hi Carlton,
I'd probably start by looking at these rules in
/var/ossec/rules/msauth_rules.xml:
<rule id="18203" level="5">
<if_sid>18114</if_sid>
<id>^632$|^4728$</id>
<description>Security Enabled Global Group Member Added</description>
<group>group_changed,win_group_changed,</group>
<info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
</rule>
<rule id="18204" level="5">
<if_sid>18114</if_sid>
<id>^633$|^4729$</id>
<description>Security Enabled Global Group Member Removed</description>
<group>group_changed,win_group_changed,</group>
<info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
</rule>
If you just want to monitor a particular group, then you probably want
to create child rules in /var/ossec/rules/local_rules.xml using
<if_sid> and <match> to look for your group of interest. Then set the
<level> high enough to trigger an email.
Also see:
https://code.google.com/p/security-onion/wiki/Email#How_do_I_configure_OSSEC_to_send_emails?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
I'd probably start by looking at these rules in
/var/ossec/rules/msauth_rules.xml:
<rule id="18203" level="5">
<if_sid>18114</if_sid>
<id>^632$|^4728$</id>
<description>Security Enabled Global Group Member Added</description>
<group>group_changed,win_group_changed,</group>
<info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
</rule>
<rule id="18204" level="5">
<if_sid>18114</if_sid>
<id>^633$|^4729$</id>
<description>Security Enabled Global Group Member Removed</description>
<group>group_changed,win_group_changed,</group>
<info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
</rule>
If you just want to monitor a particular group, then you probably want
to create child rules in /var/ossec/rules/local_rules.xml using
<if_sid> and <match> to look for your group of interest. Then set the
<level> high enough to trigger an email.
Also see:
https://code.google.com/p/security-onion/wiki/Email#How_do_I_configure_OSSEC_to_send_emails?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Abid Raza
Mar 21, 2019, 7:31:19 AM3/21/19
to security-onion
I am going through the same situation. I need to monitor active directory change activities like User account creation, Remove, Account Lockout etc. All rules are there in msauth.xml but I am not getting alerts when these activities happened. Also, I have checked agents are active on my Domain Controllers. Furthermore, Email notifications are working fine from OSSEC server.
Please let me know if I am missing something.
Abid
Wes Lambert
Mar 21, 2019, 8:08:54 AM3/21/19
to securit...@googlegroups.com
You can read about alert classifications here:
To make changes with regard to email alerting or logging, you can edit the following in /var/ossec/etc/.conf on the manager node:
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Wes Lambert
Mar 21, 2019, 8:09:33 AM3/21/19
to securit...@googlegroups.com
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
Thanks,
Wes
Kevin Branch
Mar 21, 2019, 10:39:22 AM3/21/19
to securit...@googlegroups.com
When you say you are not getting alerts do you mean you are not getting emailed when an event that should have alerted occurred, or do you mean you can't find the expected alerts at all in Kibana? If not at all, then do you see any events of any kind in Kibana from the Domain Controllers (in particular eventlog/eventchannel alerts)?
Kevin
On Thu, Mar 21, 2019 at 7:31 AM Abid Raza <san...@primaticsfinancial.com.pk> wrote:
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
Reply all
Reply to author
Forward
0 new messages