2 Replies Latest reply on Jun 15, 2016 1:57 PM by yutznut

    nDepth : find source of AD account deletion

    yutznut

      I want to get builld an nDepth filter to find the source of an active directory account deletion.   I wouldn't mind getting email alerts for this either. but primarily I need to build an nDepth filter at the very least and I can't figure it out.   Does anyone out there have this?

       

      thanks folks!

        • Re: nDepth : find source of AD account deletion
          twuk

          To do this I use

           

          correlations

          DeleteDomainMember.ProviderSID = *4726*   AND   DeleteDomainMember.EventInfo NOT= *$*

           

          The $ bit just filters out machine accounts

          other useful ones are

           

          Disable accounts

          Userisable.ProviderSID = *4725* AND UserDisable.EventInfo NOT= *$*

           

          Add to groups (works with removed too)

          Auditable Group Events.EventInfo = Member "*" added to group "DOMAIN\Group Name"

           

          And a really useful one is when Domain Admins change passwords for users

           

          UserModifyAttribute.ProviderSID = *4724* AND UserModifyAttribute.EvetInfo NOT= *$*

           

          a useful resource is Randy Franklin Smith's Ultimate Windows Security He is the guy who makes the logbinder tool that is useful for LEM too

          On his site are descriptions of all the windows Event IDS (Provider SID)

           

          I hope this helps