Goal: Tracking User Logon Activity using Logon and Logoff Events in LDAP or Domain Controller

[Yolanda Prieto]

Hi All,

I want Tracking User Logon Activity using Logon and Logoff Events in LDAP or Domain Controller ( installing the Agent in the Domain Controller or LDAP server).

by  Audit Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy).

Double-click on the policy setting Audit account logon events, check Success and Failure audit, and click OK

to have successfully configured Account logon and logon failure audit events.

Someone had created the rule to catch this event in the controller?

Which could be  the rule_id (if exists) and which could be the if_sid (if exists)

(I had some similar configuration to detect PNP windows devices:

<rule id = "100003" level-"12">

<if_sid>18104</if_sid>

<id>^6416$</id>

<description> Windows: PNP device connected </description?

</rule>)

Please advise.

Thanks and Regards

  Yolanda Prieto

[Yolanda Prieto]

Hi All

Following with this  topic, I found that already ssome rules are present to acompish this goal:

From:

https://www.alienvault.com/forums/discussion/2735/ossec-windows-logon-types

I saw  these rules:

Those rules could cover all the followings events? 

Audit policy settings under Security Settings\Advanced Audit Policy Configuration are available in the following categories:

Account Logon 

Account Management 

Detailed Tracking 

DS Access 

Logon/Logoff 

Object Access 

Policy Change 

Privilege Use 

System 

Global Object Access Auditing 

Or we would need to set some custom rules to be able to catch all the those events?

Where I can find information regardin to this topic?

Thanks for any advise

Regards

  Yolanda Prieto

<group name="windows,">
<rule id="700001" level="5">
<if_sid>18119</if_sid>
 <match>Logon Type:   2</match>
 <description>Windows Console Logon</description>
</rule>

<rule id="700002" level="5">
<if_sid>18104</if_sid>
    <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
 <match>Logon Type:   2</match>
 <description>Windows Console Logon</description>
</rule>

<rule id="700003" level="5">
<if_sid>18104</if_sid>
    <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
 <match>Logon Type:   3</match>
 <description>Windows Network Logon</description>
</rule>

<rule id="700004" level="5">
<if_sid>18104</if_sid>
    <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
 <match>Logon Type:   7</match>
 <description>Windows Workstation Lock</description>
</rule>

<rule id="700005" level="5">
<if_sid>18104</if_sid>
    <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
 <match>Logon Type:   10</match>
 <description>Windows RDP-TS Logon</description>
</rule>

</group>

[Yolanda Prieto]

Hi All


Some ideas or answer for this topic?
I am still waitng for any help.
thanks and regards
  Yolanda