I’ve recently been asked to analyze admin behavior in an onprem Windows AD forest. Question was if I knew of a cloud-based solution that could do the job. Me: “Hold my beer…!”
Windows Server Active Directory is able to log all security group membership changes in the Domain Controller’s security event log. All you need to do is to enable audit logging in a Group Policy Object (GPO) that is created and linked to the Domain Controllers organizational unit (OU). As you know it’s not funny to look into a production DC’s security event log as thousands of entries are generated and logged there minute by minute. However, from a security point of view it’s important to monitor changes in security groups that give you privileged access once you’re a member. This is when a robust monitoring solution comes into play.
Configure the cloud service
The cloud solution I had in my mind was Azure Log Analytics. To get Windows Security Events into your Log Analytics Workspace you first need to install the Azure Log Analytics Agent on all of your domain controllers and then connect the agents to your workspace. In a second, step you will need to activate the Security & Audit management solution. Keep in mind that this management solution is part of Azure Security Center, not Azure Log Analytics what means you have to care for different pricing! Once you have deployed the solution you will find security event log entries in your log search:
SecurityEvent | summarize Count=count() by Activity | sort by Count desc
The log search is okay for testing but it’s not really smart if you always have to manually execute one or more queries to see what’s going on in your environment. This is why I decided to create a custom view for the Log Analytics overview dashboard that enables you to see admin security group changes in your environment at a glance.
The overview tile (left) shows the total amount of all changed local, global, and universal security groups on all monitored servers with a list of the top three groups. By default you see an overview over the last 24 hours but you can change the time range at the upper left corner of the Log Analytics dashboard. If you click into the overview tile the detailed dashboard appears. In the first view you can see the number of accounts that have been added to or removed from the admin security groups and at what time the changes happened. This is a combined view over all monitored Domain Controllers. The second column is a view ordered by computer accounts on which the group memberships have been changed and the third graphics shows how often which security group has been changed.
Behind all those dashboard graphics I have written different filter queries that summarize the outputs by the object type the respective dashboard is supposed to focus on. Key is that you know which EventIDs you have to look for:
SecurityEvent | where EventID in (4728, 4729, 4732, 4733, 4756, 4757) and TargetAccount contains "Admin" and TimeGenerated > ago(24h) | summarize AggregatedValue = count() by TargetAccount | order by AggregatedValue desc
The EventIDs are:
4728: A member was added to a security-enabled global group
4729: A member was removed from a security-enabled global group
4732: A member was added to a security-enabled local group
4733: A member was removed from a security-enabled local group
4756: A member was added to a security-enabled universal group
4757: A member was removed from a security-enabled universal group
The query above is the one I used for the aggregated view on the overview dashboard.
Feel free to use it
The dashboard does a pretty good job in showing me what’s going on in terms of security group memberships. But it doesn’t mean I’m finished. The beauty is that you can always continue to add dashboards, change queries and then save, export and even share the configuration as a .json configuration file. This is what I have done with this custom view. You can find the configuration file in my Github account. Feel free to use it in your environments, I hope you like it!