Monitor Group Policy Object changes on Windows AD

[prithvis...@unotechsoft.com]

Hi community,

I'm trying to monitor GPO(Group Policy Object) changes in my Windows Active-Directory. The Wazuh alert for this with *rule.id 20053* for *EventID 4719* of the windows event viewer does not contain enough information. Is there any way to solve this challenge. Can anyone suggest any powershell script to monitor GPO changes and generate subsequent alerts for this?

Thank you

[pablo....@wazuh.com]

Hi, sorry for the late response. The rule 20053 gives a generic alert: `Windows Audit Policy changed` because it is triggered with different events: 612,643,4719,4907,4912. A way to obtain more information of the Events is to create customs rules for every Windows event. For example:

If I want to remark the alerts of the Windows Event 4719: "System audit policy was changed", I can write the rule:

<rule id="100000" level="8">

    <if_sid>20053</if_sid>

    <field name="EventChannel.System.EventID">^4719$</field>

    <description>System audit policy was changed.</description>

    <options>no_full_log</options>

    <group>policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>

</rule>

That way the rule will alert you specifically what part of the audit configuration has been modified. I use the label <if_sid> because I can maintain the rule 20053 for the events that I don't need to remark and I will avoid duplicate alerts.

If I you have any doubt or I can help you in anything else, it will be a pleasure.

Regards, Pablo.

[prithvis...@unotechsoft.com]

Hi,

Thank you for your response. The custom child rule will only change the description of the rule. What I wanted is for the Event ID 4719 there are certain fields whose values are in codes, not their text value. I wanted to know if there is a way to get these values. I have attached a screenshot for your reference. The fields I want are data.EventChannel.EventData.AuditPolicyChanges and data.EventChannel.EventData.SubcategoryGuid. 

[pablo....@wazuh.com]

Hi,

This feature is going to be implemented in the next version of Wazuh (3.9). Here you can see the issue in our GitHub repository: https://github.com/wazuh/wazuh/issues/2937
It has the Pull Request referenced inside if you are interested in it.

Wazuh 3.9 is coming out soon, please stay tuned and thanks for using Wazuh.

Regards, Pablo.

[prithvis...@unotechsoft.com]

Hi,

Thank you so much for this information and I am looking forward for this update as it is exactly the issue I was facing. Any idea on when would Wazuh 3.9.0 be released?

[Javier Castro]

Hello,

sorry for the late reply.

Last Wazuh version is v3.9.2.

Let us know if you have problems upgrading.

Regards.