Mastodawn

Nov 22, 2022

Just found this nice list of useful event IDs for #AD monitoring:
https://github.com/TonyPhipps/SIEM/blob/master/Notable-Event-IDs.md

My next step is to figure out how to bring that list with low effort to a data collection rule for #Sentinel integration with the Azure Monitoring Agent.

Do you have good sources / lists with Event IDs for AD monitoring or are you ingesting just everything?

SIEM/Notable-Event-IDs.md at master · TonyPhipps/SIEM

SIEM Tactics, Techiques, and Procedures. Contribute to TonyPhipps/SIEM development by creating an account on GitHub.

GitHub

Show thread

disintegr8te

Nov 22, 2022

@cbrhh If Ingesting Limits are an Issue i mainly focus on these otherwise the more the better:
4688 (Command line auditing):
4625 (Failed logons):
4103 4104 PowerShell auditing (PowerShell 5.0): PowerShell event 4103 and script block logging (4104)
7045/4697 A service was installed in the system
7045, 10000, 10001, 10100, 20001, 20002, 20003, 24576, 24577, 24579 Insert USB
4624 Account Logon
4720 A user account was created
4722 A user account was enabled
2003 Disable firewall
8003 (EXE/MSI) was allowed to run but would have been prevented from running if the AppLocker policy were enforced
8004 (EXE/MSI) was prevented from running.
1116 Windows Defender has detected malware or other potentially unwanted software
1117 Windows Defender has taken action to protect this machine from malware or other potentially unwanted software
1102 Audit Log Cleared
4672 Account with admin level privileges logs on
4698 Schedule new/update tasks

Show thread

Fabian Bader Nov 22, 2022

@cbrhh
Use an ARM template to create a time for every category.

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/resource-manager-data-collection-rules?tabs=json#create-rule-sample

Resource Manager template samples for data collection rules - Azure Monitor

Sample Azure Resource Manager templates to create associations between data collection rules and virtual machines in Azure Monitor.