MyHumio.com
Lis
Monitor builtin security groups
created by Administrator at 2022-04-27
-
Description
With this you can monitor your builtin security groups. I'v a user change some of the groups you can get a notification.
For english users you have to change the group names.
When you create an action, you can use this as a template.
Use custom email subject:
AD Group {field:winlog.event_data.TargetUserName} changed by {field:winlog.event_data.SubjectUserName}
Message Body Template
<table>
<tr><th>Date/Time: </th><td>{triggered_timestamp}</td><tr>
<tr><th>Initiator: </th><td>{field:winlog.event_data.SubjectUserName}</td><tr>
<tr><th>Group affected: </th><td>{field:winlog.event_data.TargetUserName}</td><tr>
<tr><th>Action: </th><td>{field:group.action}</td><tr>
<tr><th>Member changed: </th><td>{field:winlog.event_data.MemberName}</td><tr>
</table>
-
Alerts("winlog.event_data.TargetUserName" = "Administratoren"
or "winlog.event_data.TargetUserName" = "Domänen-Admins"
or "winlog.event_data.TargetUserName" = "Druck-Operatoren"
or "winlog.event_data.TargetUserName" = "Hyper-V-Administratoren"
or "winlog.event_data.TargetUserName" = "Konten-Operatoren"
or "winlog.event_data.TargetUserName" = "Kryptografie-Operatoren"
or "winlog.event_data.TargetUserName" = "Leistungsprotokollbenutzer"
or "winlog.event_data.TargetUserName" = "Netzwerkkonfigurations-Operatoren"
or "winlog.event_data.TargetUserName" = "Prä-Windows 2000 kompatibler Zugriff"
or "winlog.event_data.TargetUserName" = "Remotedesktopbenutzer"
or "winlog.event_data.TargetUserName" = "Remoteverwaltungsbenutzer"
or "winlog.event_data.TargetUserName" = "Replikations-Operator"
or "winlog.event_data.TargetUserName" = "Server-Operatoren"
or "winlog.event_data.TargetUserName" = "Sicherungs-Operatoren"
or "winlog.event_data.TargetUserName" = "Storage Repl. Admin"
or "winlog.event_data.TargetUserName" = "System Managed Accounts Group"
or "winlog.event_data.TargetUserName" = "Systemmonitorbenutzer"
or "winlog.event_data.TargetUserName" = "Windows-Autorisierungszugriffsgruppe"
or "winlog.event_data.TargetUserName" = "Zertifikatdienst-DCOM-Zugriff"
or "winlog.event_data.TargetUserName" = "Zugriffssteuerungs-Unterstützungsoperatoren"
or "winlog.event_data.TargetUserName" = "Organisations-Admins"
or "winlog.event_data.TargetUserName" = "Schema-Admins"
) and (
"winlog.event_id" = 4732
or "winlog.event_id" = 4733
or "winlog.event_id" = 4728
or "winlog.event_id" = 4729
or "winlog.event_id" = 4756
or "winlog.event_id" = 4757
)
| regex("Gruppe wurde (?<group.action>\\S+)\\.") -
RatingCurrent rating: No rating yet.
Share the entry