-
Notifications
You must be signed in to change notification settings - Fork 268
/
Account-Management.xml
98 lines (98 loc) · 5.9 KB
/
Account-Management.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>Account-Management</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>Events pertaining to account changes. Passwords, groups, status, etc.</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Custom</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxItems>1</MaxItems>
<MaxLatencyTime>300000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="1800000"/>
</PushSettings>
</Delivery>
<Query><![CDATA[
<QueryList>
<!-- Inspired by Microsoft Documentation and/or IADGOV -->
<Query Id="0" Path="Security">
<!-- 4627: Group Membership Information -->
<Select Path="Security">*[System[(EventID=4627)]]</Select>
<!-- 4703: A user right was adjusted. -->
<!-- 4704: A user right (privilege) was assigned. -->
<!-- 4704: A user right (privilege) was removed. -->
<Select Path="Security">*[System[(EventID=4703 or EventID=4704 or EventID=4705)]]</Select>
<!-- 4720: A user account was created. -->
<Select Path="Security">*[System[(EventID=4720)]]</Select>
<!-- 4722: A user account was enabled. -->
<!-- 4723: Attempt was made to change account's password. -->
<!-- 4724: An attempt was made to reset an account's password. -->
<!-- 4725: A user account was disabled. -->
<!-- 4726: A user account was deleted. -->
<!-- 4727: A security-enabled global group was created. -->
<!-- 4728: A member was added to a security-enabled global group. -->
<!-- 4729: A member was removed to a security-enabled global group. -->
<!-- 4730: A security-enabled global group was deleted. -->
<!-- 4731: A security-enabled local group was created. -->
<!-- 4732: A member was added to a security-enabled local group. -->
<!-- 4733: A member was removed from a security-enabled local group. -->
<!-- 4734: A security-enabled local group was deleted. -->
<!-- 4735: Modification of Security-enabled groups -->
<!-- 4737: A security-enabled global group was changed. -->
<!-- 4738: A user account was changed. -->
<!-- 4739: Domain Policy was changed. -->
<!-- 4741: A computer account was created. -->
<!-- 4742: A computer account was changed. -->
<!-- 4743: A computer account was deleted. -->
<!-- 4744: A security-disabled local group was created. -->
<!-- 4745: A security-disabled local group was changed. -->
<!-- 4746: A member was added to a security-disabled local group. -->
<!-- 4747: A member was removed from a security-disabled local group. -->
<!-- 4748: A security-disabled local group was deleted. -->
<!-- 4749: A security-disabled global group was created. -->
<!-- 4750: A security-disabled global group was changed. -->
<!-- 4751: A member was added to a security-disabled global group. -->
<!-- 4752: A member was removed from a security-disabled global group. -->
<!-- 4753: A security-disabled global group was deleted. -->
<!-- 4754: A security-enabled universal group was created. -->
<!-- 4755: A security-enabled universal group was changed. -->
<!-- 4756: A security-enabled universal group was changed. -->
<!-- 4757: A security-enabled universal group was changed. -->
<!-- 4758: A security-enabled universal group was created. -->
<!-- 4759: A security-disabled universal group was created. -->
<!-- 4760: A security-disabled universal group was changed. -->
<!-- 4761: A member was added to a security-disabled universal group. -->
<!-- 4762: A member was removed from a security-disabled universal group. -->
<!-- 4763: A security-disabled universal group was deleted. -->
<!-- 4764: A group's type was changed. -->
<!-- 4765: SID History was added to an account. -->
<!-- 4766: An attempt to add SID History to an account failed. -->
<!-- 4767: A user account was unlocked. -->
<Select Path="Security">*[System[(EventID >=4722 and EventID <=4735)]]</Select>
<Select Path="Security">*[System[(EventID >=4737 and EventID <=4739)]]</Select>
<Select Path="Security">*[System[(EventID >=4741 and EventID <=4767)]]</Select>
<!-- 4780: The ACL was set on accounts which are members of administrators group. -->
<!-- 4781: The name of an account was changed. -->
<!-- 4782: The password hash an account was accessed. -->
<Select Path="Security">*[System[(EventID >=4780 and EventID <=4782)]]</Select>
<!-- 4793: The Password Policy Checking API was called. -->
<!-- 4794: An attempt was made to set the Directory Services Restore Mode administrator password. -->
<Select Path="Security">*[System[(EventID=4793 or EventID=4794)]]</Select>
<!-- 4798: A user's local group membership was enumerated. -->
<!-- 4799: A security-enabled local group membership was enumerated. -->
<Select Path="Security">*[System[(EventID=4798 or EventID=4799)]]</Select>
<!-- 5376: Credential Manager credentials were backed up. -->
<!-- 5377: Credential Manager credentials were restored from a backup. -->
<Select Path="Security">*[System[(EventID=5376 or EventID=5377)]]</Select>
</Query>
</QueryList>]]></Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>http</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>WEC3-Account-Management</LogFile>
<AllowedSourceNonDomainComputers/>
<AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)(A;;GA;;;DD)</AllowedSourceDomainComputers>
</Subscription>