mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 20:33:42 +00:00
Merge branch 'PubOps-repo-health' into dh-windows-pr-repo-health
This commit is contained in:
Rebecca Agiewich
GitHub
@ -286,7 +286,7 @@ For 4624(S): An account was successfully logged on.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an "allowlist-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. |
|
||||
|
||||
@ -193,7 +193,7 @@ For 4688(S): A new process has been created.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an "allowlist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. |
|
||||
|
||||
@ -153,7 +153,7 @@ For 4696(S): A primary token was assigned to process.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. |
|
||||
|
||||
@ -195,7 +195,7 @@ Otherwise, see the recommendations in the following table.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. |
|
||||
|
||||
@ -153,7 +153,7 @@ For 4704(S): A user right was assigned.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. |
|
||||
|
||||
@ -152,7 +152,7 @@ For 4705(S): A user right was removed.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.<br>If you have specific user rights policies, for example, an allowlist of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.<br>For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.<br>As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. |
|
||||
|
||||
@ -127,7 +127,7 @@ For 4717(S): System security access was granted to an account.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.<br>If you have specific user logon rights policies, for example, an allowlist of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. |
|
||||
|
||||
@ -127,7 +127,7 @@ For 4718(S): System security access was removed from an account.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.<br>If you have specific user logon rights policies, for example, an allowlist of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.<br>As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. |
|
||||
|
||||
@ -154,7 +154,7 @@ For 4732(S): A member was added to a security-enabled local group.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
|
||||
|
||||
@ -161,7 +161,7 @@ For 4733(S): A member was removed from a security-enabled local group.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
|
||||
|
||||
@ -158,7 +158,7 @@ For 4751(S): A member was added to a security-disabled global group.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
|
||||
|
||||
@ -149,7 +149,7 @@ For 4752(S): A member was removed from a security-disabled global group.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
|
||||
|
||||
@ -305,13 +305,13 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“User ID”** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“User ID”** for accounts that are outside the allowlist. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. |
|
||||
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. |
|
||||
|
||||
- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
|
||||
|
||||
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the allow list, generate the alert.
|
||||
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the allowlist, generate the alert.
|
||||
|
||||
- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
|
||||
|
||||
|
||||
@ -131,7 +131,7 @@ For 4779(S): A session was disconnected from a Window Station.
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. |
|
||||
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. |
|
||||
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allowlist. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.<br>For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.<br>If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. |
|
||||
|
||||
Reference in New Issue
Block a user