Home
  •  

Windows 2008 AD Audit Target Discovery

SCC.Active.Directory.Audit.Discover.Win2008AD.AuditTarget (Discovery)

Discovers the Windows 2008 Active Directory Audit Target Class. This class is defined largely to facilitate linked alert reports containing audit alerts. By disabling this discovery for domain controllers in domains where auditing is not desired, you can prevent these auditing rules from being loaded by those agents.

Element properties:

TargetMicrosoft.Windows.Server.2008.AD.DomainControllerRole
EnabledTrue
Frequency3600
RemotableFalse

Object Discovery Details:

Discovered Classes and their attribuets:

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.RegistryDiscoveryProvider Default

Source Code:

<Discovery ID="SCC.Active.Directory.Audit.Discover.Win2008AD.AuditTarget" Enabled="true" Target="MicrosoftWindowsServerAD2008Discovery!Microsoft.Windows.Server.2008.AD.DomainControllerRole" ConfirmDelivery="false" Remotable="true" Priority="Normal">

  <Category>Discovery</Category>

  <DiscoveryTypes>

    <DiscoveryClass TypeID="SCC.Active.Directory.Audit.Win2008.AuditTarget"/>

  </DiscoveryTypes>

  <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.RegistryDiscoveryProvider">

    <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    <RegistryAttributeDefinitions>

      <RegistryAttributeDefinition>

        <AttributeName>ProductName</AttributeName>

        <Path>SOFTWARE\Microsoft\Windows NT\CurrentVersion</Path>

        <PathType>1</PathType>

        <AttributeType>0</AttributeType>

      </RegistryAttributeDefinition>

    </RegistryAttributeDefinitions>

    <Frequency>3600</Frequency>

    <ClassId>$MPElement[Name="SCC.Active.Directory.Audit.Win2008.AuditTarget"]$</ClassId>

    <InstanceSettings>

      <Settings>

        <Setting>

          <Name>$MPElement[Name="SCC.Active.Directory.Audit.Win2008.AuditTarget"]/SCC.Active.Directory.Audit.Version$</Name>

          <Value>$Target/Property[Type="MicrosoftWindowsServerADLibrary!Microsoft.Windows.Server.AD.DomainControllerRole"]/Name$</Value>

        </Setting>

        <Setting>

          <Name>$MPElement[Name="MicrosoftWindowsServerADLibrary!Microsoft.Windows.Server.AD.DomainControllerRole"]/Name$</Name>

          <Value>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetbiosComputerName$</Value>

        </Setting>

        <Setting>

          <Name>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Name>

          <Value>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>

        </Setting>

        <Setting>

          <Name>$MPElement[Name="System!System.Entity"]/DisplayName$</Name>

          <Value>$Target/Property[Type="System!System.Entity"]/DisplayName$</Value>

        </Setting>

      </Settings>

    </InstanceSettings>

  </DataSource>

</Discovery>