GPO Event's not logged

[Fran Hernandez]

Hi, there are some windows events related to Active Directory Audit, that are stored in archives with level 0.

It would be interesting some win-active-directory rule to securize AD environments with all the log ID's comming from advanced audit group policy. 

Here are some examples: 

• 5136 – Group Policy changes, value changes, links, unlinks.
• 5137 – Group Policy creations.
• 5141 – Group Policy deletions.

There is any rule xml for that purpose that can be shared?

Thanks!

[Daniel Folch]

Hello,

Wazuh can capture and analyze Eventchannel logs with logcollector, in this documentation you can find hao to do this:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html

You can easily write a rule that triggers with an event ID, for example in your case:

<rule id="100001" level="8">
    <field name="win.system.eventID">^5136$</field>
    <options>alert_by_email</options>
    <description>Group Policy changes, value changes, links, unlinks.</description>
</rule>

If you have any further questions do not hesitate to ask.

Regards,
Daniel Folch

​