AD_Audit_Policy_Change
ID: 100274
Description:
EventID 4719: System audit policy was changed
Repository: Fluency Group: AD Type: event
Default Status:
Enabled
| Tags: | ||
|---|---|---|
| ActiveDirectory | AD | Active Directory |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @eventType | nxlogAD |
| @fields.EventID | 4719 |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.Hostname | asset | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| Timeline | 0 | - |
Attributes:
| Alias | Key |
|---|---|
| Hostname | @fields.Hostname |
| Category | @fields.Category |
| Subcategory | @fields.Subcategory |
| TaskCategory | @fields.TaskCategory |
| AuditPolicyChanges | @fields.AuditPolicyChanges |
| SubjectFullName | @fields.SubjectFullName |
| Message | @message |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewUser | 30 days | @fields.SubjectUserName |
| Risks: | ML_NEW_USER | |
| NewTaskCategory | 30 days | @fields.TaskCategory |
| Risks: | ML_NEW_SERVICE | |
| NewCategory | 30 days | @fields.Category |
| Risks: | ML_NEW_APP | |
| NewSubcategory | 30 days | @fields.Subcategory |
| Risks: | ML_NEW_APP |
Aggregation:
| Name | Window | Field | AggType | Match |
|---|---|---|---|---|
| MultipleAlerts | 1 hour | count | gt 150 | |
| Risks: | BANDWIDTH_ANOMALY |
History:
| User | Date |
|---|---|
| ho*d@fluencysecurity.com | 2021 Jul 15 15:08:27 EDT |
| ho*d@fluencysecurity.com | 2021 Jul 30 18:45:20 EDT |
| ku*n@fluencysecurity.com | 2022 Feb 17 14:19:45 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)