Monitor Active Directory with Wazuh

[TheLotus 24]

Greetings to everyone, could you help me? I am trying to have the events of creating, modifying and deleting users in my local AD and show them to Wazuh, I have already integrated my Agent on my machine with local AD but it only shows me two types of user events. that are logged in and those that are logged out but no more, I can't find documentation on the official Wazuh website and I can't find relevant documentation to be able to apply it.

If someone has done it and applied it correctly, it would help me a lot.

[Leandro David Sayanes]

Hi TheLotus 24! 

To monitor the creation, modification and deletion of users in local AD and display them to Wazuh, 

you can create rules on the Wazuh server to detect IoCs in Windows security events and system events monitored by Sysmon.

I think you have here the documentation you need:

• https://wazuh.com/blog/how-to-detect-active-directory-attacks-with-wazuh-part-1-of-2/
  
• https://wazuh.com/blog/how-to-detect-active-directory-attacks-with-wazuh-part-2/

You can also take a look at this thread:

• https://groups.google.com/g/wazuh/c/QhrTnFyykgo
  

Any problem do not hesitate to ask us!

[TheLotus 24]

Do you know the specific rule that I must add in loca_rules.xml so that it can show me who added, modified and deleted a user in active directory, I see that attacks are simulated in the documentation.

[Leandro David Sayanes]

Hi TheLotus 24! 

To monitor user modifications in Active Directory using Wazuh, you will need to create a custom rule in the local_rules.xml file. Unfortunately, without more information about the specific modifications you want to monitor, it is not possible to provide a specific rule. Could you provide me with log entries?

If you want to know how to do it, you can check these links:

• https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
  
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html