question

saiyadrahim-9078 avatar image
0 Votes"
saiyadrahim-9078 asked LeonLaude answered

SCOM 2012R2 - Monitoring Active Directory for Signs of Compromise

Hi Team,

Does SCOM have any capability to monitor AD for signs of compromise?
Is there any specific articles out there that IT Teams are using?

Is it a matter of using Event Monitor and look for potential issues?

Found a article that uses PRTG to do the same:
https://techwithjasmin.com/windows/monitoring-active-directory-for-signs-of-compromise/?utm_campaign=Blog%20Subcription&utm_medium=email&_hsmi=129696736&_hsenc=p2ANqtz-9-wyWp6kfB0-sfs1TbEHd2okcGXtTiYDdBTqXrpWgO4_t27nvmSrzlT3mXU2P0wb0hCDu9oqKbM4O5rFmn3a0JDv7H6gVxk1kYV6MPgBLmpK3uobo&utm_content=129636362&utm_source=hs_email

Which one of these would be appropriate to use:

Current Legacy Potential Event Summary
Windows Windows Criticality
Event ID Event ID

4618 N/A High A monitored security event pattern has occurred.
4649 N/A High A replay attack was detected. May be a harmless false positive due to misconfiguration error.
4719 612 High System audit policy was changed.
4765 N/A High SID History was added to an account.
4766 N/A High An attempt to add SID History to an account failed.
4794 N/A High An attempt was made to set the Directory Services Restore Mode.
4897 801 High Role separation enabled:
4964 N/A High Special groups have been assigned to a new logon.
5124 N/A High A security setting was updated on the OCSP Responder Service
1102 517 Medium to High The audit log was cleared
4692 N/A Medium Backup of data protection master key was attempted.
4706 610 Medium A new trust was created to a domain.
4713 617 Medium Kerberos policy was changed.
4715 N/A Medium The audit policy (SACL) on an object was changed.
4716 620 Medium Trusted domain information was modified.
4816 N/A Medium RPC detected an integrity violation while decrypting an incoming message.
4625 529-537,539 Low An account failed to log on.
4648 552 Low A logon was attempted using explicit credentials.
4657 567 Low A registry value was modified.



msc-operations-manager
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@saiyadrahim-9078, For the Signs of Compromise for AD, based on my research, it maybe consider compromise when some event logs occurs abnormally in a short time, or like a lot of authentication from some abnormal IP address and etc. This is not only by seeing an event. But by some abnormal actions. So I think SCOM is not the best tool for such situation:

From Microsoft, there's a product called Azure ATP can help on this. We can see more details in the following link:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-azure-advanced-threat-protection/ba-p/250332

Hope it can help.

0 Votes 0 ·

1 Answer

LeonLaude avatar image
0 Votes"
LeonLaude answered

Hi @saiyadrahim-9078,

SCOM can monitor any events in the event log, but by default I don't believe it will monitor the events that you've listed.

You can always author your own management pack to achieve this, or simply rules/monitors for these specific events or anything more that you may see as a potential risk.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)


Best regards,
Leon

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.