Windows 2008 AD Audit Target Discovery
SCC.Active.Directory.Audit.Discover.Win2008AD.AuditTarget (Discovery)
Discovers the Windows 2008 Active Directory Audit Target Class. This class is defined largely to facilitate linked alert reports containing audit alerts. By disabling this discovery for domain controllers in domains where auditing is not desired, you can prevent these auditing rules from being loaded by those agents.
Element properties: Object Discovery Details: Member Modules:
Source Code: <Discovery ID="SCC.Active.Directory.Audit.Discover.Win2008AD.AuditTarget" Enabled="true" Target="MicrosoftWindowsServerAD2008Discovery!Microsoft.Windows.Server.2008.AD.DomainControllerRole" ConfirmDelivery="false" Remotable="true" Priority="Normal">
<Category>Discovery</Category>
<DiscoveryTypes>
<DiscoveryClass TypeID="SCC.Active.Directory.Audit.Win2008.AuditTarget"/>
</DiscoveryTypes>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.RegistryDiscoveryProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<RegistryAttributeDefinitions>
<RegistryAttributeDefinition>
<AttributeName>ProductName</AttributeName>
<Path>SOFTWARE\Microsoft\Windows NT\CurrentVersion</Path>
<PathType>1</PathType>
<AttributeType>0</AttributeType>
</RegistryAttributeDefinition>
</RegistryAttributeDefinitions>
<Frequency>3600</Frequency>
<ClassId>$MPElement[Name="SCC.Active.Directory.Audit.Win2008.AuditTarget"]$</ClassId>
<InstanceSettings>
<Settings>
<Setting>
<Name>$MPElement[Name="SCC.Active.Directory.Audit.Win2008.AuditTarget"]/SCC.Active.Directory.Audit.Version$</Name>
<Value>$Target/Property[Type="MicrosoftWindowsServerADLibrary!Microsoft.Windows.Server.AD.DomainControllerRole"]/Name$</Value>
</Setting>
<Setting>
<Name>$MPElement[Name="MicrosoftWindowsServerADLibrary!Microsoft.Windows.Server.AD.DomainControllerRole"]/Name$</Name>
<Value>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetbiosComputerName$</Value>
</Setting>
<Setting>
<Name>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Name>
<Value>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>
</Setting>
<Setting>
<Name>$MPElement[Name="System!System.Entity"]/DisplayName$</Name>
<Value>$Target/Property[Type="System!System.Entity"]/DisplayName$</Value>
</Setting>
</Settings>
</InstanceSettings>
</DataSource>
</Discovery>