Home
  •  

SCC Active Directory Audit

SCC.Active.Directory.Audit :: 1.0.0.55 (Management Pack)

Management Pack Elements

Classes (1)

 DisplayNameIDBase ClassAbstractHostedSingletonGroupExtensionAccessibility
SCC.Active.Directory.Audit.Win2008.AuditTargetWindows 2008 Active Directory Audit TargetSCC.Active.Directory.Audit.Win2008.AuditTargetMicrosoft.Windows.ApplicationComponentFalseTrueFalseFalseFalseInternal

Relationship Types (1)

 DisplayNameIDSourceTargetAccessibilityAbstract
SCC.Active.Directory.Audit.Win2008DC.Hosts.AuditTargetWindows 2008 DC Hosts Audit TargetSCC.Active.Directory.Audit.Win2008DC.Hosts.AuditTargetMicrosoft.Windows.Server.2008.AD.DomainControllerRoleSCC.Active.Directory.Audit.Win2008.AuditTargetInternalFalse

Discoveries (1)

 DisplayNameIDTargetEnabled
SCC.Active.Directory.Audit.Discover.Win2008AD.AuditTargetWindows 2008 AD Audit Target DiscoverySCC.Active.Directory.Audit.Discover.Win2008AD.AuditTargetMicrosoft.Windows.Server.2008.AD.DomainControllerRoleTrue

Rules (43)

 DisplayNameIDTargetCategoryEnabledAlert Generate
SCC.Active.Directory.Audit.AddToGlblSecGrp(Security Event ID 4728) - A member was added to a security-enabled global groupSCC.Active.Directory.Audit.AddToGlblSecGrpSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSiteCreatedAn Active Directory Site was Created SCC.Active.Directory.Audit.ADSiteCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSiteDeletedAn Active Directory Site was DeletedSCC.Active.Directory.Audit.ADSiteDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSiteLinkCreatedAn Active Directory Site Link was Created SCC.Active.Directory.Audit.ADSiteLinkCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSiteLinkDeletedAn Active Directory Site Link was DeletedSCC.Active.Directory.Audit.ADSiteLinkDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSiteModifiedAn Active Directory Site has been ModifiedSCC.Active.Directory.Audit.ADSiteModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSubnetCreatedAn Active Directory Subnet was CreatedSCC.Active.Directory.Audit.ADSubnetCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSubnetDeletedAn Active Directory Subnet was DeletedSCC.Active.Directory.Audit.ADSubnetDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ADSubnetModifiedAn Active Directory Subnet was ModifiedSCC.Active.Directory.Audit.ADSubnetModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.ChgPasswordAttempt(Security Event ID 4723) - Change password attemptSCC.Active.Directory.Audit.ChgPasswordAttemptSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.CollectAcctGrpEventsCollet Account and Group Events (misc 47XX events) (DO NOT ENABLE for development only)SCC.Active.Directory.Audit.CollectAcctGrpEventsSCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalseFalse
SCC.Active.Directory.Audit.CollEvt5136Collect Event 5136: Object Modifications (DO NOT ENABLE development only)SCC.Active.Directory.Audit.CollEvt5136SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalseFalse
SCC.Active.Directory.Audit.CollEvt5137Collect Event 5136: Object Creation (DO NOT ENABLE development only)SCC.Active.Directory.Audit.CollEvt5137SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalseFalse
SCC.Active.Directory.Audit.CollEvt5139Collect Event 5139: Object Moved (DO NOT ENABLE development only)SCC.Active.Directory.Audit.CollEvt5139SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalseFalse
SCC.Active.Directory.Audit.CollEvt5141Collect Event 5141: Object Deleted (DO NOT ENABLE development only)SCC.Active.Directory.Audit.CollEvt5141SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalseFalse
SCC.Active.Directory.Audit.CreatedGlblSecGrp(Security Event ID 4727) - A security-enabled global group was createdSCC.Active.Directory.Audit.CreatedGlblSecGrpSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.DomainPolicyChange(Security Event ID 4739) - Domain Policy was changedSCC.Active.Directory.Audit.DomainPolicyChangeSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.Event4730(Security Event ID 4730) - A security-enabled global group was deletedSCC.Active.Directory.Audit.Event4730SCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.GPOCreatedA Group Policy Object (GPO) has been CreatedSCC.Active.Directory.Audit.GPOCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.GPODeletedA Group Policy Object (GPO) was DeletedSCC.Active.Directory.Audit.GPODeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.GPOModifiedA Group Policy Object (GPO) was ModifiedSCC.Active.Directory.Audit.GPOModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.KerbPolChg(Security Event ID 4713) - Kerberos policy was changedSCC.Active.Directory.Audit.KerbPolChgSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.NewElement(Security Event ID 1102) - The audit log was clearedSCC.Active.Directory.Audit.NewElementSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.OUCreatedAn Organizational Unit was CreatedSCC.Active.Directory.Audit.OUCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.OUDeletedAn Organizational Unit was DeletedSCC.Active.Directory.Audit.OUDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.OUModifiedAn Organizational Unit was ModifiedSCC.Active.Directory.Audit.OUModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.OUMovedAn Organizational Unit was MovedSCC.Active.Directory.Audit.OUMovedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.RemoveFromGlblSecGrp(Security Event ID 4729) - A member was removed from a security-enabled global groupSCC.Active.Directory.Audit.RemoveFromGlblSecGrpSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.SecurityLogCleared(Security Event ID 1104) - The security event log was clearedSCC.Active.Directory.Audit.SecurityLogClearedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.TrustCreated(Security Event ID 4706) - A new trust was created to a domainSCC.Active.Directory.Audit.TrustCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.TrustRemoved(Security Event ID 4707) - A trust to a domain was removedSCC.Active.Directory.Audit.TrustRemovedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UnivGrpChanged(Security Event ID 4755) - A security-enabled universal group was changedSCC.Active.Directory.Audit.UnivGrpChangedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthFalseTrue
SCC.Active.Directory.Audit.UnivGrpCreated(Security Event ID 4754) - A security-enabled universal group was createdSCC.Active.Directory.Audit.UnivGrpCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UnivGrpDeleted(Security Event ID 4758) - A security-enabled universal group was deletedSCC.Active.Directory.Audit.UnivGrpDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UnivGrpMemAdded(Security Event ID 4756) - A member was added to a security-enabled universal group SCC.Active.Directory.Audit.UnivGrpMemAddedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UnivGrpMemRemoved(Security Event ID 4757) - A member was removed from a security-enabled universal groupSCC.Active.Directory.Audit.UnivGrpMemRemovedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UnivGrpTypeChanged(Security Event ID 4764) - A group’s type was changedSCC.Active.Directory.Audit.UnivGrpTypeChangedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UserAccountChangeA User Account was ModifiedSCC.Active.Directory.Audit.UserAccountChangeSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UserAcctCreated(Security Event ID 4720) - A User Account was CreatedSCC.Active.Directory.Audit.UserAcctCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UserAcctDeleted(Security Event ID 4726) - A user account was deletedSCC.Active.Directory.Audit.UserAcctDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UserAcctDisabled(Security Event ID 4725) - A user account was disabledSCC.Active.Directory.Audit.UserAcctDisabledSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UserAcctLockout(Security Event ID 4740) - A user account was locked outSCC.Active.Directory.Audit.UserAcctLockoutSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue
SCC.Active.Directory.Audit.UserAcctPasswordSet(Security Event ID 4740) - A User Account Password was SetSCC.Active.Directory.Audit.UserAcctPasswordSetSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrueTrue

Agent Tasks (2)

 DisplayNameIDTargetAccessibilityCategoryEnabled
SCC.Active.Directory.Audit.AgentTask.GPResultGPResult SCC.Active.Directory.Audit.AgentTask.GPResultSCC.Active.Directory.Audit.Win2008.AuditTargetInternalOperationsTrue
SCC.Active.Directory.Audit.ConsoleTask.RSoPGet RSoPSCC.Active.Directory.Audit.ConsoleTask.RSoPMicrosoft.Windows.ComputerInternalOperationsTrue

Folder Items (7)

 DisplayNameIDFolderNameElementID
SCC.Active.Directory.Audit.View.GroupManagementGroup Management AlertsSCC.Active.Directory.Audit.View.GroupManagementFolder_47ce9f4a0f8f4fd289a89b2a3f6e036aSCC.Active.Directory.Audit.View.GroupManagement
SCC.Active.Directory.Audit.View.LogManagementLog Management AlertsSCC.Active.Directory.Audit.View.LogManagementFolder_47ce9f4a0f8f4fd289a89b2a3f6e036aSCC.Active.Directory.Audit.View.LogManagement
SCC.Active.Directory.Audit.View.OUManagementOU Management AlertsSCC.Active.Directory.Audit.View.OUManagementFolder_47ce9f4a0f8f4fd289a89b2a3f6e036aSCC.Active.Directory.Audit.View.OUManagement
SCC.Active.Directory.Audit.View.PolicyManagementGroup Policy Management AlertsSCC.Active.Directory.Audit.View.PolicyManagementFolder_47ce9f4a0f8f4fd289a89b2a3f6e036aSCC.Active.Directory.Audit.View.PolicyManagement
SCC.Active.Directory.Audit.View.SiteManagementPhysical Topology ManagementSCC.Active.Directory.Audit.View.SiteManagementFolder_47ce9f4a0f8f4fd289a89b2a3f6e036aSCC.Active.Directory.Audit.View.SiteManagement
SCC.Active.Directory.Audit.View.UserManagementUser Management AlertsSCC.Active.Directory.Audit.View.UserManagementFolder_47ce9f4a0f8f4fd289a89b2a3f6e036aSCC.Active.Directory.Audit.View.UserManagement
View_8e21fc09df1041ff8a4d0e91c7979508Audit Events (Collection)View_8e21fc09df1041ff8a4d0e91c7979508Folder_47ce9f4a0f8f4fd289a89b2a3f6e036aView_8e21fc09df1041ff8a4d0e91c7979508

Folders (1)

 DisplayNameIDParentFolderAccessibility
Folder_47ce9f4a0f8f4fd289a89b2a3f6e036aActive Directory Audit Folder_47ce9f4a0f8f4fd289a89b2a3f6e036aMicrosoft.SystemCenter.Monitoring.ViewFolder.RootPublic

Views (7)

 DisplayNameIDTargetTypeAccessibilityVisible
SCC.Active.Directory.Audit.View.GroupManagementGroup Management AlertsSCC.Active.Directory.Audit.View.GroupManagementSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
SCC.Active.Directory.Audit.View.LogManagementLog Management AlertsSCC.Active.Directory.Audit.View.LogManagementSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
SCC.Active.Directory.Audit.View.OUManagementOU Management AlertsSCC.Active.Directory.Audit.View.OUManagementSCC.Active.Directory.Audit.Win2008.AuditTargetMicrosoft.SystemCenter.AlertViewTypePublicTrue
SCC.Active.Directory.Audit.View.PolicyManagementGroup Policy Management AlertsSCC.Active.Directory.Audit.View.PolicyManagementSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
SCC.Active.Directory.Audit.View.SiteManagementPhysical Topology ManagementSCC.Active.Directory.Audit.View.SiteManagementSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
SCC.Active.Directory.Audit.View.UserManagementUser Management AlertsSCC.Active.Directory.Audit.View.UserManagementSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
View_8e21fc09df1041ff8a4d0e91c7979508Audit Events (Collection)View_8e21fc09df1041ff8a4d0e91c7979508System.EntityMicrosoft.SystemCenter.EventViewTypePublicTrue

Linked Reports (1)

 DisplayNameIDBaseTargetAccessibilityVisible
SCC.Active.Directory.Audit.LinkedAlert.CriticalSecurity Audit AlertsSCC.Active.Directory.Audit.LinkedAlert.CriticalMicrosoft.SystemCenter.DataWarehouse.Report.AlertInternalTrue