In some situation you may want to audit your Active Directory but didn’t have the ressource to install the Audit Collection Services (ACS). Scom provide the ability to do a lot by using rules/monitor based on eventID. For most of the alerts, I’ve follow the recommandation of the Randy Franklin Smith’s ( 11 ways to detect System Intrusions with security log). So Basically, these alerts are based on Event Description and Keep in mind that these event will be store in the same Database vs ACS, which has his own DB… so be carefull in the sizing.
Also, if you want to make better rules, you should install log parser and look at the log parameters ( which are delimited by a “|”) and parser the event you want to monitor to get the appropriate information
So Here what I’ve find usefull to monitor.
- Users added/removed to privileged groups, ex; domain admin, enterprise admin, schema admin, and their nested groups ( pay attention to the scope of the group, because depending on this it will not generate the same eventid). If you want you could even monitor when members are removed.
- Local and Domain Administrator – Login failed / success ( read this to avoid false positive http://support.microsoft.com/kb/2002335… )
- New Domain and Local account (you could filter this based on some user attribut ex; office)
- New Computer Account in the Domain
- Password Changed for Domain and Local Administrator
- Passwords set to never expired, Event 642
- Services / scheduled task creation, Event 601 and 602
- Systems Restarted , Event 512, allow you to check if this match with your maintenance windows
- Audit policy Change, Event 612
- Security Logs Cleared, Event 517
- Unknow user account or bad password, Event 529
Beware, Ideally activated these rules one by one to give you the time to filter and analyze the performance
Now, I’ll show you a example on how you could create some rule (Make sure to not add it to the default MP, because it will cause you some hard time when you’ll try to update MP) and get result like this
First, ,create new rule from scom console, and select the MP the add the rule. In my case I’ve create a MP “CompagnyName – Auditing”.
Then select the appropriate Log Type and Build the Event Expression.
– 11 ways to detect System Intrusions with security log
– Using Event Description as criteria for a rules
– OpsMgr2007: Parameters explained