Site under construction Learn more

MyHumio.com

Lis

Monitor builtin security groups

created by Administrator at 2022-04-27

Approved
  • Description

    With this you can monitor your builtin security groups. I'v a user change some of the groups you can get a notification.

     

    For english users you have to change the group names.

     

    When you create an action, you can use this as a template.

     

    Use custom email subject:

    AD Group {field:winlog.event_data.TargetUserName} changed by {field:winlog.event_data.SubjectUserName}

     

    Message Body Template

    <table>
    <tr><th>Date/Time: </th><td>{triggered_timestamp}</td><tr>
    <tr><th>Initiator: </th><td>{field:winlog.event_data.SubjectUserName}</td><tr>
    <tr><th>Group affected: </th><td>{field:winlog.event_data.TargetUserName}</td><tr>
    <tr><th>Action: </th><td>{field:group.action}</td><tr>
    <tr><th>Member changed: </th><td>{field:winlog.event_data.MemberName}</td><tr>
    </table>
     

  • Alerts
    ("winlog.event_data.TargetUserName" = "Administratoren"
    or "winlog.event_data.TargetUserName" = "Domänen-Admins"
    or "winlog.event_data.TargetUserName" = "Druck-Operatoren"
    or "winlog.event_data.TargetUserName" = "Hyper-V-Administratoren"
    or "winlog.event_data.TargetUserName" = "Konten-Operatoren"
    or "winlog.event_data.TargetUserName" = "Kryptografie-Operatoren"
    or "winlog.event_data.TargetUserName" = "Leistungsprotokollbenutzer"
    or "winlog.event_data.TargetUserName" = "Netzwerkkonfigurations-Operatoren"
    or "winlog.event_data.TargetUserName" = "Prä-Windows 2000 kompatibler Zugriff"
    or "winlog.event_data.TargetUserName" = "Remotedesktopbenutzer"
    or "winlog.event_data.TargetUserName" = "Remoteverwaltungsbenutzer"
    or "winlog.event_data.TargetUserName" = "Replikations-Operator"
    or "winlog.event_data.TargetUserName" = "Server-Operatoren"
    or "winlog.event_data.TargetUserName" = "Sicherungs-Operatoren"
    or "winlog.event_data.TargetUserName" = "Storage Repl. Admin"
    or "winlog.event_data.TargetUserName" = "System Managed Accounts Group"
    or "winlog.event_data.TargetUserName" = "Systemmonitorbenutzer"
    or "winlog.event_data.TargetUserName" = "Windows-Autorisierungszugriffsgruppe"
    or "winlog.event_data.TargetUserName" = "Zertifikatdienst-DCOM-Zugriff"
    or "winlog.event_data.TargetUserName" = "Zugriffssteuerungs-Unterstützungsoperatoren"
    or "winlog.event_data.TargetUserName" = "Organisations-Admins"
    or "winlog.event_data.TargetUserName" = "Schema-Admins"
    ) and (
    "winlog.event_id" = 4732
    or "winlog.event_id" = 4733
    or "winlog.event_id" = 4728
    or "winlog.event_id" = 4729
    or "winlog.event_id" = 4756
    or "winlog.event_id" = 4757
    )
    | regex("Gruppe wurde (?<group.action>\\S+)\\.")
  • Rating
    Current rating: No rating yet.