Home
  •  

All Rules in SCC.Active.Directory.Audit Management Pack

 DisplayNameDescriptionIDTargetCategoryEnabledInstance NameCounter NameFrequencyEvent_IDEvent SourceAlert GenerateAlert SeverityAlert PriorityRemotableEvent Log
SCC.Active.Directory.Audit.AddToGlblSecGrp(Security Event ID 4728) - A member was added to a security-enabled global groupSCC.Active.Directory.Audit.AddToGlblSecGrpSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.ADSiteCreatedAn Active Directory Site was Created SCC.Active.Directory.Audit.ADSiteCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.ADSiteDeletedAn Active Directory Site was DeletedSCC.Active.Directory.Audit.ADSiteDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05141TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.ADSiteLinkCreatedAn Active Directory Site Link was Created SCC.Active.Directory.Audit.ADSiteLinkCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.ADSiteLinkDeletedAn Active Directory Site Link was DeletedSCC.Active.Directory.Audit.ADSiteLinkDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05141TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.ADSiteModifiedAn Active Directory Site has been ModifiedSCC.Active.Directory.Audit.ADSiteModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05136TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.ADSubnetCreatedAn Active Directory Subnet was CreatedSCC.Active.Directory.Audit.ADSubnetCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05137TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.ADSubnetDeletedAn Active Directory Subnet was DeletedSCC.Active.Directory.Audit.ADSubnetDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05141TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.ADSubnetModifiedAn Active Directory Subnet was ModifiedSCC.Active.Directory.Audit.ADSubnetModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05136TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.ChgPasswordAttempt(Security Event ID 4723) - Change password attemptSCC.Active.Directory.Audit.ChgPasswordAttemptSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.CollectAcctGrpEventsCollet Account and Group Events (misc 47XX events) (DO NOT ENABLE for development only)4723,4726-4729,4738,4739,4740,4754,4755,4756,4758,4764 SCC.Active.Directory.Audit.CollectAcctGrpEventsSCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalse00FalseTrueSecurity
SCC.Active.Directory.Audit.CollEvt5136Collect Event 5136: Object Modifications (DO NOT ENABLE development only)Collects events related to directory service object modificationSCC.Active.Directory.Audit.CollEvt5136SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalse00FalseTrueSecurity
SCC.Active.Directory.Audit.CollEvt5137Collect Event 5136: Object Creation (DO NOT ENABLE development only)SCC.Active.Directory.Audit.CollEvt5137SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalse00FalseTrueSecurity
SCC.Active.Directory.Audit.CollEvt5139Collect Event 5139: Object Moved (DO NOT ENABLE development only)SCC.Active.Directory.Audit.CollEvt5139SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalse00FalseTrueSecurity
SCC.Active.Directory.Audit.CollEvt5141Collect Event 5141: Object Deleted (DO NOT ENABLE development only)SCC.Active.Directory.Audit.CollEvt5141SCC.Active.Directory.Audit.Win2008.AuditTargetEventCollectionFalse00FalseTrueSecurity
SCC.Active.Directory.Audit.CreatedGlblSecGrp(Security Event ID 4727) - A security-enabled global group was createdSCC.Active.Directory.Audit.CreatedGlblSecGrpSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.DomainPolicyChange(Security Event ID 4739) - Domain Policy was changedSCC.Active.Directory.Audit.DomainPolicyChangeSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.Event4730(Security Event ID 4730) - A security-enabled global group was deletedSCC.Active.Directory.Audit.Event4730SCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.GPOCreatedA Group Policy Object (GPO) has been CreatedSCC.Active.Directory.Audit.GPOCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.GPODeletedA Group Policy Object (GPO) was DeletedSCC.Active.Directory.Audit.GPODeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.GPOModifiedA Group Policy Object (GPO) was ModifiedSCC.Active.Directory.Audit.GPOModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05136TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.KerbPolChg(Security Event ID 4713) - Kerberos policy was changedSCC.Active.Directory.Audit.KerbPolChgSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.NewElement(Security Event ID 1102) - The audit log was clearedSCC.Active.Directory.Audit.NewElementSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.OUCreatedAn Organizational Unit was CreatedSCC.Active.Directory.Audit.OUCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.OUDeletedAn Organizational Unit was DeletedSCC.Active.Directory.Audit.OUDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.OUModifiedAn Organizational Unit was ModifiedSCC.Active.Directory.Audit.OUModifiedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.OUMovedAn Organizational Unit was MovedSCC.Active.Directory.Audit.OUMovedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.RemoveFromGlblSecGrp(Security Event ID 4729) - A member was removed from a security-enabled global groupSCC.Active.Directory.Audit.RemoveFromGlblSecGrpSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.SecurityLogCleared(Security Event ID 1104) - The security event log was clearedSCC.Active.Directory.Audit.SecurityLogClearedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.TrustCreated(Security Event ID 4706) - A new trust was created to a domainSCC.Active.Directory.Audit.TrustCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.TrustRemoved(Security Event ID 4707) - A trust to a domain was removedSCC.Active.Directory.Audit.TrustRemovedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.UnivGrpChanged(Security Event ID 4755) - A security-enabled universal group was changedThis rule results in numerous non-actionable alerts during create and delete operations. Therefore, it is disabled by default.SCC.Active.Directory.Audit.UnivGrpChangedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthFalse00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.UnivGrpCreated(Security Event ID 4754) - A security-enabled universal group was createdSCC.Active.Directory.Audit.UnivGrpCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.UnivGrpDeleted(Security Event ID 4758) - A security-enabled universal group was deletedSCC.Active.Directory.Audit.UnivGrpDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.UnivGrpMemAdded(Security Event ID 4756) - A member was added to a security-enabled universal group SCC.Active.Directory.Audit.UnivGrpMemAddedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.UnivGrpMemRemoved(Security Event ID 4757) - A member was removed from a security-enabled universal groupSCC.Active.Directory.Audit.UnivGrpMemRemovedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.UnivGrpTypeChanged(Security Event ID 4764) - A group’s type was changedSCC.Active.Directory.Audit.UnivGrpTypeChangedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.UserAccountChangeA User Account was ModifiedThis rule results in numerous non-actionable alerts during create and delete operations. Therefore, it is disabled by default.SCC.Active.Directory.Audit.UserAccountChangeSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue05136TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.UserAcctCreated(Security Event ID 4720) - A User Account was CreatedSCC.Active.Directory.Audit.UserAcctCreatedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.UserAcctDeleted(Security Event ID 4726) - A user account was deletedSCC.Active.Directory.Audit.UserAcctDeletedSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.UserAcctDisabled(Security Event ID 4725) - A user account was disabledSCC.Active.Directory.Audit.UserAcctDisabledSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity
SCC.Active.Directory.Audit.UserAcctLockout(Security Event ID 4740) - A user account was locked outSCC.Active.Directory.Audit.UserAcctLockoutSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueErrorNormalTrueSecurity
SCC.Active.Directory.Audit.UserAcctPasswordSet(Security Event ID 4740) - A User Account Password was SetSCC.Active.Directory.Audit.UserAcctPasswordSetSCC.Active.Directory.Audit.Win2008.AuditTargetSecurityHealthTrue00TrueWarningNormalTrueSecurity