Significant Events to Collect in AD DS
Monitoring and collecting events from Active Directory can help organizations identify potential security threats, troubleshoot issues, and ensure the smooth operation of their network infrastructure.
What are the most significant events that should be collected for effective monitoring and management?
Audit Users and Groups Management
Tracking user and group management events is essential for maintaining the security and integrity of an Active Directory environment. Some of the key events to collect include:
- Account creations and deletions
- Account modifications (password changes, privileged accounts & group membership changes, failed DSRM account password change, failed SID History add attempts)
- Account lockouts and unlockings
- Group creation, modification, and deletion
By monitoring these events, administrators can quickly identify any unauthorized changes or suspicious activities related to user and group management.
Audit Computers Management
Account creations and deletions
Authentication and Authorization
AD DS is responsible for authenticating users and authorizing their access to network resources. Monitoring authentication and authorization events can help detect potential security breaches and ensure that only authorized users are accessing the network. Some of the significant events to audit in this category include:
Failed Logon attempts and Account lockouts
– Monitor Events 4625 & Events 4740 to detect potential passwords attacks on user accounts
Changes to security policies and access controls
–
Special Logons
– Monitor Events 4672 where “Subject\Security ID” is not an admin, Local System, Network Service or Local Service :
By collecting and analyzing these events, administrators can identify patterns of suspicious logon activities, detect potential brute-force attacks, and ensure that security policies are properly enforced.
Directory Service Replication
Active Directory DS uses replication to ensure that changes made on one domain controller are propagated to other domain controllers in the network. Monitoring replication events is crucial for maintaining the consistency and integrity of the directory service. Some of the significant replication events to collect include:
Audit Replication successes and failures
– Look for Event ID 4932 where “Source DRA” does not match authorized hosts (e.g. Domain Controllers)
Changes to replication topology
Changes to replication schedules
By monitoring these events, administrators can proactively identify and resolve replication issues, ensure that changes are properly propagated across the network, and prevent data inconsistencies.
Security-related Events
Collecting security-related events in Active Directory DS is essential for maintaining a secure network environment. Some of the significant security-related events to monitor and collect include:
- Changes to security policies
- Account lockouts and unlockings
- Failed logon attempts
- Changes to group memberships and permissions
- Password hash of an account was accessed
By monitoring these events, administrators can quickly identify and respond to potential security breaches, enforce security policies, and ensure that only authorized users have the necessary permissions to access network resources.
Conclusion
Monitoring and collecting significant events in Active Directory DS is crucial for maintaining the security, integrity, and smooth operation of a network environment. By effectively monitoring user and group management, credential valdation, authorization, directory service replication, and security-related events, administrators can proactively identify and resolve issues, detect potential security threats, and ensure that the Active Directory environment is properly managed.
Implementing a robust event collection and monitoring system, along with regular analysis of collected events, will enable organizations to maintain a secure and well-managed Active Directory DS infrastructure.
The following table show all events that matter in AD DS environment.
| ID | Event Title | Category | Criticity |
|---|---|---|---|
| 1102 | The audit log was cleared | EventLogs | Medium to High |
| 4608 | Windows is starting up | System | Low |
| 4609 | Windows is shutting down | System | Low |
| 4610 | An authentication package has been loaded by the Local Security Authority | System | Low |
| 4611 | A trusted logon process has been registered with the Local Security Authority | System | Low |
| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits | System | Low |
| 4614 | A notification package has been loaded by the Security Account Manager | System | Low |
| 4615 | Invalid use of LPC port | System | Low |
| 4616 | System time was changed | System | Low |
| 4618 | A monitored security event pattern has occurred | System | High |
| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded | System | Medium |
| 4622 | A security package has been loaded by the Local Security Authority | System | Low |
| 4624 | An account was successfully logged on | Logon/Logoff | Low |
| 4625 | An account failed to log on | Logon/Logoff | Low |
| 4648 | A logon attempt was made with explicit credentials | Logon/Logoff | Low |
| 4649 | A replay attack was detected | Logon/Logoff | High |
| 4657 | A registry value was modified 1 | Registry | Low |
| 4670 | Permissions on an object were changed | Policy Change | |
| 4672 | Special privileges assigned to new logon | Privilege Use | |
| 4673 | A privileged service was called | Privilege Use | |
| 4674 | An operation was attempted on a privileged object | Privilege Use | |
| 4675 | SIDs were filtered | Logon/Logoff | Medium |
| 4692 | Backup of data protection master key was attempted | DPAPI Activity | Medium |
| 4693 | Recovery of data protection master key was attempted | DPAPI Activity | Medium |
| 4694 | Protection of auditable protected data was attempted | DPAPI Activity | |
| 4695 | Unprotection of auditable protected data was attempted | DPAPI Activity | |
| 4697 | A service was installed in the system | System | |
| 4698 | A scheduled task was created | System | Low |
| 4699 | A scheduled task was deleted | System | Low |
| 4700 | LowA scheduled task was enabled | System | Low |
| 4701 | A scheduled task was disabled | System | Low |
| 4702 | A scheduled task was updated | System | Low |
| 4704 | A user right was assigned | Policy Change | Low |
| 4705 | A user right was removed | Policy Change | Low |
| 4706 | A new trust was created to a domain | Policy Change | Medium |
| 4713 | Kerberos policy was changed | Policy Change | Medium |
| 4714 | Encrypted data recovery policy was changed | Policy Change | Medium |
| 4715 | The audit policy (SACL) on an object was changed | Policy Change | Medium |
| 4716 | Trusted domain information was modified | Policy Change | Medium |
| 4719 | System audit policy was changed | Policy Change | |
| 4720 | A user account was created | Account Management | Low |
| 4722 | A user account was enabled | Account Management | Low |
| 4723 | An attempt was made to change the password of an account | ||
| 4724 | An attempt was made to reset an account’s password | Account Management | Medium |
| 4725 | A user account was disabled | Account Management | Low |
| 4726 | A user account was deleted | Account Management | Low |
| 4727 | A security-enabled global group was created | Groups Management | Medium |
| 4728 | A member was added to a security-enabled global group | Groups Management | Low |
| 4729 | A member was removed from a security-enabled global group | Groups Management | Low |
| 4730 | A security-enabled global group was deleted | Groups Management | Low |
| 4731 | A security-enabled local group was created | Groups Management | Low |
| 4732 | A member was added to a security-enabled local group | Groups Management | Low |
| 4733 | A member was removed from a security-enabled local group | Groups Management | Low |
| 4734 | A security-enabled local group was deleted | Groups Management | Low |
| 4735 | A security-enabled local group was changed | Groups Management | Medium |
| 4737 | A security-enabled global group was changed | Groups Management | Medium |
| 4738 | A user account was changed | Account Management | |
| 4739 | Domain Policy was changed | Policy Change | Medium |
| 4740 | A user account was locked out | Account Management | |
| 4741 | A computer account was created | Account Management | |
| 4742 | A computer account was changed | Account Management | |
| 4754 | A security-enabled universal group was created | Groups Management | Medium |
| 4755 | A security-enabled universal group was changed | Groups Management | Medium |
| 4756 | A member was added to a security-enabled universal group | Groups Management | |
| 4757 | A member was removed from a security-enabled universal group | Groups Management | |
| 4758 | A security-enabled universal group was deleted | Groups Management | Medium |
| 4743 | A computer account was deleted | Account Management | |
| 4764 | A group’s type was changed | Groups Management | Medium |
| 4765 | SID History was added to an account | Account Management | High |
| 4766 | An attempt to add SID History to an account failed | Account Management | High |
| 4767 | A user account was unlocked | Account Management | |
| 4768 | A Kerberos authentication ticket (TGT) was requested | Kerberos Service | |
| 4769 | A Kerberos service ticket was requested | Kerberos Service | |
| 4770 | A Kerberos service ticket was renewed | Kerberos Service | |
| 4771 | Kerberos pre-authentication failed | Kerberos Service | Low |
| 4776 | The computer attempted to validate the credentials for an account | Credential Validation | Low |
| 4780 | The ACL was set on accounts which are members of administrators groups | Account Management | Medium |
| 4782 | The password hash of an account was accessed | Account Management | Low |
| 4794 | An attempt was made to set the Directory Services Restore Mode | Account Management | High |
| 4799 | A security-enabled local group membership was enumerated | Groups Management | |
| 4816 | RPC detected an integrity violation while decrypting an incoming message | System | Medium |
| 4817 | Auditing settings on object were changed | Policy Change | |
| 4865 | A trusted forest information entry was added | Policy Change | Medium |
| 4866 | A trusted forest information entry was removed | Policy Change | Medium |
| 4867 | A trusted forest information entry was modified | Policy Change | Medium |
| 4868 | The certificate manager denied a pending certificate request | Object Access | Medium |
| 4870 | Certificate Services revoked a certificate | Object Access | Medium |
| 4882 | The security permissions for Certificate Services changed | Object Access | Medium |
| 4885 | The audit filter for Certificate Services changed | Object Access | Medium |
| 4890 | The certificate manager settings for Certificate Services changed | Object Access | Medium |
| 4892 | A property of Certificate Services changed | Object Access | Medium |
| 4896 | One or more rows have been deleted from the certificate database | Object Access | Medium |
| 4897 | Role separation enabled | Object Access | High |
| 4902 | The Per-user audit policy table was created | Policy Change | |
| 4904 | An attempt was made to register a security event source | Policy Change | |
| 4905 | An attempt was made to unregister a security event source | Policy Change | |
| 4906 | The CrashOnAuditFail value has changed | Policy Change | Medium |
| 4907 | Auditing settings on object were changed | Policy Change | Medium |
| 4908 | Special Groups Logon table modified | Policy Change | Medium |
| 4912 | Per User Audit Policy was changed | Policy Change | Medium |
| 4932 | Synchronization of a replica of an Active Directory naming context has begun | AD Replication | |
| 4946 | A rule was added to the Windows Firewall exception list | Firewall Change | |
| 4947 | A rule was modified in the Windows Firewall exception list | Firewall Change | |
| 4950 | A setting was changed in Windows Firewall | Firewall Change | |
| 4954 | Group Policy settings for Windows Firewall has changed | Firewall Change | |
| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. | System | Medium |
| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. | System | Medium |
| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. | System | Medium |
| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt | System | Medium |
| 4964 | A special group has been assigned to a new log on | Logon/Logoff | High |
| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored | System | Medium |
| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation | Logon/Logoff | Medium |
| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation | Logon/Logoff | Medium |
| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation | Logon/Logoff | Medium |
| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted | Logon/Logoff | Medium |
| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. | Logon/Logoff | Medium |
| 4985 | The state of a transaction has changed. | Object Access | |
| 5025 | The Windows Firewall service has been stopped. | System | |
| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. | System | Medium |
| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. | System | Medium |
| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. | System | Medium |
| 5030 | The Windows Firewall Service failed to start | System | Medium |
| 5031 | Windows Firewall blocked an application from accepting incoming traffic. | Object Access | |
| 5035 | The Windows Firewall Driver failed to start | System | Medium |
| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating | System | Medium |
| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error | System | Medium |
| 5120 | OCSP Responder Service Started | Object Access | Medium |
| 5121 | OCSP Responder Service Stopped | Object Access | Medium |
| 5122 | A configuration entry changed in OCSP Responder Service | Object Access | Medium |
| 5123 | A configuration entry changed in OCSP Responder Service | Object Access | Medium |
| 5124 | A security setting was updated on the OCSP Responder Service. | Object Access | High |
| 5152 | A network packet was blocked by Windows Filtering Platform. | Firewall Change | |
| 5153 | Firewall Change | ||
| 5155 | Windows Filtering Platform blocked an application or service from listening on a port. | Firewall Change | |
| 5157 | Windows Filtering Platform blocked a connection. | Firewall Change | |
| 5376 | Credential Manager credentials were backed up. | Account Management | Medium |
| 5377 | Credential Manager credentials were restored from a backup. | Account Management | Medium |
| 5447 | A Windows Filtering Platform filter was changed. | Firewall Change | |
| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. | Logon/Logoff | Medium |
| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | System | Medium |
| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. | System | Medium |
| 5827 | The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account. | CVE-2020-1472 | Medium |
| 5828 | The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account. | CVE-2020-1472 | Medium |
| 6038 | |||
| 6145 | One or more errors occurred while processing security policy in the Group Policy objects. | Policy Change | Medium |
| 6273 | Network Policy Server denied access to a user. | Medium |
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
Event Logs Levels from winmeta.h
- WINEVENT_LEVEL_LOG_ALWAYS 0x0
- WINEVENT_LEVEL_CRITICAL 0x1
- WINEVENT_LEVEL_ERROR 0x2
- WINEVENT_LEVEL_WARNING 0x3
- WINEVENT_LEVEL_INFO 0x4
- WINEVENT_LEVEL_VERBOSE 0x5