Detecting Active Directory Activity

Oolong · July 20, 2024, 2:58pm

Hi Everyone,

Is it possible to detect active directory activity with winlogbeat ?
i.e. - A new user getting created
- A user being deleted
- Password resets

If yes, can someone point me to documentation that i can follow.

Oolong · July 20, 2024, 3:24pm

Removed dashboard, elastic-stack-alerting

andrewkroh · July 20, 2024, 6:50pm

Winlogbeat doesn't detect activity per se. It reads the events that are already being reported to the Windows event log and then sends them to Elasticsearch.

So yes, if your Security event log contains events reported by Active Directory then Winlogbeat will capture them and write them to Elasticsearch.

When a user is deleted then Event ID 4726 will be logged to the Security channel. And similarly when a password is reset Event ID 4724 is logged.

If you install Elastic Agent it will send the logs from the Security channel to Elasticsearch by default. That data can be used with the SIEM.

Oolong · July 20, 2024, 8:12pm

Thank you, i can see the events.

Topic		Replies	Views
Winlogbeat event id missing Beats winlogbeat	5	510	January 17, 2022
Winlogbeat not reading event id Beats winlogbeat	1	362	January 6, 2022
Reporting Windows Security Events in Kibana Beats winlogbeat	4	5384	April 12, 2016
Correlation of Windows Event ID's Beats winlogbeat	10	2801	January 9, 2018
Winlogbeat Not Logging All Event ID Beats winlogbeat	1	312	April 22, 2022

Detecting Active Directory Activity

Related Topics