Hi Everyone,
Is it possible to detect active directory activity with winlogbeat ?
i.e. - A new user getting created
- A user being deleted
- Password resets
If yes, can someone point me to documentation that i can follow.
Removed dashboard, elastic-stack-alerting
Winlogbeat doesn't detect activity per se. It reads the events that are already being reported to the Windows event log and then sends them to Elasticsearch.
So yes, if your Security event log contains events reported by Active Directory then Winlogbeat will capture them and write them to Elasticsearch.
When a user is deleted then Event ID 4726 will be logged to the Security channel. And similarly when a password is reset Event ID 4724 is logged.
If you install Elastic Agent it will send the logs from the Security channel to Elasticsearch by default. That data can be used with the SIEM.
Thank you, i can see the events.