Active Directory Change Auditing

Elastic Stack Logstash
1

Hi Folks,

I'm interesting in logging Event IDs 5136 (Directory Service Changes - A directory service object was modified.).

i'm already using WinLogBeats to capture login/logout events, that was pretty straight forward and easy!.

But the logging directory change events is whole different story.

Every modification in active directory change is audit has the following structure:

If the change purpose is modification attribute that already has value, 2 events is written.
(the connection between the events is field name "Correlation ID" or as logged using WinLogBeats as OpCorrelationID)
If the change is clearing attribute value, only the 1 event written.

the first event say the value deleted and what was the old value.

A directory service object was modified.

Subject:
Security ID: FOREST\XXX XXX
Account Name: XXX XXX
Account Domain: FOREST
Logon ID: 0x50D63

Directory Service:
Name: forest.local
Type: Active Directory Domain Services

Object:
DN: CN=XXX XXX,CN=Users,DC=forest,DC=local
GUID: CN=XXX XXX,CN=Users,DC=forest,DC=local
Class: user

Attribute:
LDAP Display Name: description
Syntax (OID): 2.5.5.12
Value: a

Operation:
Type: Value Deleted
Correlation ID: {7143b205-d541-42b9-b5c6-ecc78c4c7774}
Application Correlation ID: -

the second event that the value added and what is the new value.

A directory service object was modified.

Subject:
Security ID: FOREST\XXX
Account Name: XXX XXX
Account Domain: FOREST
Logon ID: 0x50D63

Directory Service:
Name: forest.local
Type: Active Directory Domain Services

Object:
DN: CN=XXX XXX,CN=Users,DC=forest,DC=local
GUID: CN=XXX XXX,CN=Users,DC=forest,DC=local
Class: user

Attribute:
LDAP Display Name: description
Syntax (OID): 2.5.5.12
Value: ab

Operation:
Type: Value Added
Correlation ID: {7143b205-d541-42b9-b5c6-ecc78c4c7774}
Application Correlation ID: -

After spending few hours in reading about Logstash Aggregation, do the fantastic community has insights how to use it or someone already deploy this usages?

the purpose is holding one document for every change, include the old value and new value.

Regards,

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.