Active Directory Activity
Table of recent Active Directory activity including disabled, deleted and password reset events.
IdentitymonitoringT1078T1098
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
name=ActiveDirectoryAudit*
| setField(target="ActiveDirectoryAuditActionType", value=if(ActiveDirectoryAuditActionType == 4,
then="GROUP_MEMBER_ADDED", else=(if(ActiveDirectoryAuditActionType == 0,
then="CREATED", else=(if(ActiveDirectoryAuditActionType == 1,
then="DELETED", else=(if(ActiveDirectoryAuditActionType == 2,
then="MODIFIED", else=(if(ActiveDirectoryAuditActionType == 8,
then="GROUP_MEMBER_REMOVED", else=(if(ActiveDirectoryAuditActionType == 16,
then="PASSWORD_CHANGE", else=(if(ActiveDirectoryAuditActionType == 32,
then="PASSWORD_RESET", else=(if(ActiveDirectoryAuditActionType == 64,
then="ENABLED", else=(if(ActiveDirectoryAuditActionType == 128, then="DISABLED", else=(if(ActiveDirectoryAuditActionType == 256, then="LOCKED",
else=(if(ActiveDirectoryAuditActionType == 512, then="UNLOCKED", else=(UNKNOWN)))))))))))))))))))))))
|
groupBy([@timestamp,ActiveDirectoryAuditActionType,ComputerName,TargetDomainControllerHostName,DetectName,Severity,AddedPrivileges,GroupMemberAccountName,PerformedOnAccountName,PerformedByAccountObjectName]) | sort(@timestamp, limit=20000)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.