Suspicious activity on Active Directory! What Events id should I collect from Sentinel?

To gain deep visibility into Active Directory security activity, you should collect a specific set of event IDs from your domain controllers to gather enough data to detect, protect, and respond effectively. The information below is an effective method in case you do not have advanced tools like Microsoft Defender for Identity (MDI). From a defensive perspective you have to be clear how windows audit works and what signals you have to collect.

First things first!

What is a Data Collection Rule? Azure Monitor Data Collection Rules (DCR) is a feature in Azure Monitor that allows you to define and manage how data is collected from various sources and ingested into Azure Monitor. DCRs provide a more flexible and granular way to specify data collection settings compared to traditional methods.

What is Windows auditing? Windows Auditing is a security feature in Microsoft Windows operating systems that allows administrators to track and record various activities and events occurring within the system. This feature is part of the broader Windows security and monitoring infrastructure, which helps in maintaining the integrity, confidentiality, and availability of information within an organization. Here are some key aspects of Windows Auditing:

Events Logs: Security log, Application Log, System Log

Audit Policies: Administrators can configure audit policies to specify which types of events to track. These policies can be set at both the local and group policy levels.

Event IDs: Specific numeric codes are assigned to different types of events. For example, Event ID 4624 indicates a successful logon, while Event ID 4625 indicates a failed logon attempt.

Windows Audit Category

These nine traditional audit categories comprise an audit policy. Each audit policy category can be enabled for Success, Failure, or Success and Failure events.

All right, let's go and check out the components of our monitoring solution!

1. Onboard Domain Controllers on Azure arc. Everything that you need to know about Azure arc and multi-scenario in the infrastructure universe you will find it on the next Azure JumpStart site.
2. Deploy Azure Monitoring Agent (AMA) extension on each domain controller.

3. Create a custom Data Collection Rule.

The following Data Collection Rule grabs events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise.

Data Collection Rules for Active Directory Potential criticality => High

A potential criticality of High means that one occurrence of the event should be investigated.

Security!*[System[(EventID=4618 or EventID=4649 or EventID=4719 or EventID=4765 or EventID=4766 or EventID=4794 or EventID=4897 or EventID=4964 or EventID=5124)]]        

Data Collection Rule for Active Directory Potential criticality => Medium

Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time.

Security!*[System[(EventID=1102 or EventID=4621 or EventID=4675 or EventID=4692 or EventID=4693 or EventID=4706 or EventID=4713 or EventID=4714 or EventID=4715 or EventID=4716 or EventID=4724 or EventID=4727 or EventID=4735 or EventID=4737 or EventID=4739 or EventID=4754 or EventID=4755 or EventID=4764 or EventID=4780 or EventID=4816 or EventID=4865 or EventID=4866 or EventID=4867 or EventID=4868 or EventID=4870 or EventID=4882)]]

Security!*[System[(EventID=4885 or EventID=4890 or EventID=4892 or EventID=4896 or EventID=4906 or EventID=4907 or EventID=4908 or EventID=4912 or EventID=4960 or EventID=4961 or EventID=4962 or EventID=4963 or EventID=4965 or EventID=4976 or EventID=4977 or EventID=4978 or EventID=4983 or EventID=4984 or EventID=5027 or EventID=5028 or EventID=5029 or EventID=5030 or EventID=5035 or EventID=5037)]]

Security!*[System[(EventID=5038 or EventID=5120 or EventID=5121 or EventID=5122 or EventID=5123 or EventID=5376 or EventID=5377 or EventID=5453 or EventID=5480 or EventID=5483 or EventID=5484 or EventID=5485 or EventID=5827 or EventID=5828 or EventID=6145 or EventID=6273 or EventID=6274 or EventID=6275 or EventID=6276 or EventID=6277 or EventID=6278 or EventID=6279 or EventID=6280 or EventID=24586 or EventID=24592 or EventID=24593 or EventID=24594)]]        

After you create a DCR it will look like the image below.

Once you complete this Data Collection Rule (DCR), you will start receiving security events in your Log Analytics workspace, enabling you to detect suspicious activities by configuring Analytic Rules in Microsoft Sentinel.

Cost efficiency

During a typical business day, with approximately 15,000 users active over 24 hours, the SecurityEvent table recorded an ingestion of 350MB. The below image shows the data size in MB categorized by EventID.

Now, you can estimate the approximate cost by yourself using the Azure calculator.

Conclusion

• Windows Auditing is a powerful tool for maintaining security and compliance within a Windows environment, providing administrators with the visibility and control needed to protect their systems and data.
• Azure Monitor Data Collection Rules provide a powerful and flexible way to manage the collection of monitoring data across your Azure and on-premises environments. By defining precise rules for what data to collect, from where, and how to process it, you can create robust monitoring solutions tailored to your specific needs.
• You can craft customized security monitoring solutions really cost efficient.

!!!You might wonder where the information related to Sentinel in this solution is. I will cover that in my next post.!!!

I must mention my friend and colleague, Rodrigo Corvalan From whom I have learned about monitoring and Sentinel.

More resources

Monitoring Active Directory for Signs of Compromise | Microsoft Learn

Active Directory Domain Services (AD DS) Auditing Step-by-Step Guide | Microsoft Learn