Jonhnathan
a2bf7f088d
* [Security Content] Windows Setup Guides * Move it to the right folder * Fix link * test * ++ * ++ * ++ * ++ * ++ * ++ * ++ * ++ * Fix links * ++ * ++ * Update pyproject.toml * Update docs/audit_policies/windows/sysmon_eventid1_process_creation.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update docs/audit_policies/windows/audit_powershell_scriptblock.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update pyproject.toml --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1.9 KiB
Audit Computer Account Management
Setup
Some detection rules require monitoring computer account management events to track changes to computer accounts in the domain. Enabling this setting provides visibility into when computer accounts are created, changed, or deleted, which is crucial for detecting potential malicious activity like adding unauthorized computer accounts.
Enable Audit Policy via Group Policy
To enable Audit Computer Account Management events across a group of servers using Active Directory Group Policies, administrators must enable the Audit Computer Account Management policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Account Management >
Audit Computer Account Management (Success,Failure)
Enable Locally using auditpol
To enable this policy on a local machine, run the following command in an elevated command prompt:
auditpol.exe /set /subcategory:"Computer Account Management" /success:enable /failure:enable
Event IDs
When this audit policy is enabled, the following event IDs may be generated:
- 4741: A computer account was created.
- 4742: A computer account was changed.
- 4743: A computer account was deleted.
Related Rules
Use the following GitHub search to identify rules that use the events listed: