Enable auditing access to AD domain objects - 4662 - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-01-26
Category
Administrator Guide
  1. Log in to a Domain Controller as a domain admin.

  2. In the Start menu, under Administrative Tools, open Active Directory Users and Computers.

  3. In the left pane, locate the domain you want to audit. This will typically be the name of your network.

  4. To see more details, in the View menu, select Advanced Features.

    image5.png
  5. To view detailed information about your domain, right-click its name and select Properties.

    image2.png
  6. Click the Security tab, usually located near the top of the Properties window.

  7. Click Advanced which is located within the Security tab or near the bottom of the window.

    image4.png
  8. In the Advanced Security Settings window that opens, select the Auditing tab and click Add.

    image1.png
  9. Click Select a principal.

    image3.png
  10. In the window that opens, under Enter the object name to select, type Everyone, click Check Names, and then OK.

    image34.png
  11. In the Auditing Entry window, do the following:

    • Type: To track only successful attempts, select Success.

    • Applies to: To monitor actions by users within this group and any subgroups, select Descendant User objects.

      image16.png
    • Permissions: To remove any existing permissions from this audit entry, click Clear all.

      image23.png
    • Scroll up to Permissions to see view the list of permissions. Click the checkbox next to Full Control which automatically selects all the individual permissions below it.

    • Uncheck the boxes next to the following:

      • List contents

      • Read all properties

      • Read permissions

      image35.png
    • Click OK to save the changes.

  12. Repeat step 11, with the following values in Applies to:

    • Descendant Group Objects

    • Descendant Computer Objects

    • Descendant msDS-GroupManagedServiceAccount Objects

    • Descendant msDS-ManagedServiceAccount Objects