Jump to content
OmahaMCSE

Event log monitor for users added to admin groups

Recommended Posts

The idea is to get a ticket when someone is added to an administrators group so we can figure out if it's good/bad/infection etc...

Right now I just have an event log monitor that right now just looks for security event 4728 or 4732, User added to a global/local group and that works fine, I'm just trying to narrow it down a little to administrators/domain admins groups. Any thoughts on how to extract that info from the message so it only shows the administrators group? That info is in there. I tried adding additional conditions like "and eventlogs.message like ' Name:AdministratorsGroup'" but that wasn't it.

 

So, this monitor:

image.png.f75007d71e7dd4200ea10296d1435195.png

Gets this result:

image.thumb.png.27a51fa965452786bbe222e74680cc5c.png

And in the message comes back with all the data from the event entry:

A member was added to a security-enabled local group.Subject:Security ID:S-1-5-21-1111111-1111111-1111111-500Account Name:AdministratorAccount Domain:XXXXXXXXXLogon ID:0x3335FMember:Security ID:S-1-5-21-111111111-111111111-1111111111-1007Account Name:-Group:Security ID:S-1-5-32-544Group Name:AdministratorsGroup Domain:BuiltinAdditional Information:Privileges:- 

 

I just don't know enough SQL to ask it "after you narrow it down to these event IDs look to see if it also contains "Group Name:AdministratorsGroup" then continue on to fire the alert template. It's not the end of the world if it can't be narrowed down further, there isn't that many group changes once users are added, I was just trying to just get the important groups.

Thanks

 

-Joel

 

 

 

image.png

image.png

image.png

Share this post


Link to post
Share on other sites
Message LIKE '%Group Name:Administrators%' AND Message NOT LIKE '%Account Name:%$%'

You will need wildcards to match on something inside the string. Testing against my db, the log entries I have are all computer accounts, so the NOT LIKE filters those out.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×