Hi Team,
Does SCOM have any capability to monitor AD for signs of compromise?
Is there any specific articles out there that IT Teams are using?
Is it a matter of using Event Monitor and look for potential issues?
Found a article that uses PRTG to do the same:
https://techwithjasmin.com/windows/monitoring-active-directory-for-signs-of-compromise/?utm_campaign=Blog%20Subcription&utm_medium=email&_hsmi=129696736&_hsenc=p2ANqtz-9-wyWp6kfB0-sfs1TbEHd2okcGXtTiYDdBTqXrpWgO4_t27nvmSrzlT3mXU2P0wb0hCDu9oqKbM4O5rFmn3a0JDv7H6gVxk1kYV6MPgBLmpK3uobo&utm_content=129636362&utm_source=hs_email
Which one of these would be appropriate to use:
Current Legacy Potential Event Summary
Windows Windows Criticality
Event ID Event ID
4618 N/A High A monitored security event pattern has occurred.
4649 N/A High A replay attack was detected. May be a harmless false positive due to misconfiguration error.
4719 612 High System audit policy was changed.
4765 N/A High SID History was added to an account.
4766 N/A High An attempt to add SID History to an account failed.
4794 N/A High An attempt was made to set the Directory Services Restore Mode.
4897 801 High Role separation enabled:
4964 N/A High Special groups have been assigned to a new logon.
5124 N/A High A security setting was updated on the OCSP Responder Service
1102 517 Medium to High The audit log was cleared
4692 N/A Medium Backup of data protection master key was attempted.
4706 610 Medium A new trust was created to a domain.
4713 617 Medium Kerberos policy was changed.
4715 N/A Medium The audit policy (SACL) on an object was changed.
4716 620 Medium Trusted domain information was modified.
4816 N/A Medium RPC detected an integrity violation while decrypting an incoming message.
4625 529-537,539 Low An account failed to log on.
4648 552 Low A logon was attempted using explicit credentials.
4657 567 Low A registry value was modified.