Eventos en un Domain Controller (para filtrarlos en Splunk)

Esta es la semana de splunk, algo me dice que durante los próximos meses será el mono tema … Después de hacer funcionar el SUF voy a ver como rapiñar licencia (de una instancia cloud).

Ya se que lo suyo es tenerlo todo, pero que le vamos a hacer …

Cosas que voy a poner en la blacklist.

Aqui una lista con muchos (parece que no todos).

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

4662 -> A security package has been loaded by the Local Security Authority. (detalles. Riesgo bajo.

566 -> Object Operation (W3 Active Directory) (detalles. No lo tengo claro, probablemente este si que haya que mirarlo.

4648 -> A logon was attempted using explicit credentials (detalles, otros sobre los que tengo dudas (A user connects to a server or runs a program locally using alternate credentials).

4634 -> An account was logged off (detalles).

4768 -> A Kerberos authentication ticket (TGT) was requested (detalles

4656 -> A handle to an object was requested (detalles).

4670 -> Permissions on an object were changed (detalles).

4663 -> An attempt was made to access an object (detalles).

4703 -> A token right was adjusted (detalles).

4658 -> The handle to an object was closed (detalles).

4688 -> A new process has been created (detalles).

4689 -> A process has exited (detalles).

4624 -> An account was successfully logged on (detalles).

6278 -> Network Policy Server granted full access to a user because the host met the defined health policy (detalles).

4278 -> A member was added to a security-enabled global group (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728) -> Este es de los permitidos

¿Me he pasado? o ¿Me quedo corto?.

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.