This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-05-06 11:12 AM

Windows Administrative activity and Policy Changes

This is (sort of) my first post so please go easy on me.

I am currently building an alert view to track all changes to an Active Directory domain.  I was wondering what EventIDs people were looking for as well as any creative ways to correlate the information.  So far I am tracking the following messages:

 

Security_643_Security

Security_643_Security:01

Security_643_Security:02

Security_529_Security

Security_529_Security:01

Security_529_Security:02

Security_632_Security

632_Group_Modified
 

I know there are more out there and "what constitutes admin activity" comes to mind.  I am mostly concerned with changes to domain policy and Domain Administrator Groups.

 

Thanks in Advance!

0 Likes
Reply
2 Replies
RSAAdmin
Beginner
Beginner
‎2008-08-11 08:33 AM

Hi,

I have found http://www.microsoft.com/technet/security/guidance/auditingandmonitoring/securitymonitoring/smpgch04...

 to be a great source for eventi-id:s to look for.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-02-03 11:19 AM

This is an old post, but for anyone who runs across it I have found www.ultimatewindowssecurity.com to be an invaluable resource for these types of things. I have signed up for all the webinars I can through this site (nearly all are free) and have used this information to improve my report writing and setting up of alerts. You also receive a link a day or two after each webinar that allows you to download the recorded webinar for viewing later, as well as a download of the slides. The webinars focus heavily on Event Logs, and which events to look for in certain scenarios.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.