Monitor changes to administrative users

Copper Contributor

Greetings,

I'm trying to monitor whenever a change occurs to an administrator-level user. Whether it be a password change/reset, adding someone to the Local or Domain Admin group, or changes to the account once added to the Admin group(s). Are there logs or events that will allow me to monitor just events that happen to Administrator-level accounts?

 

I should mention that the plan is to monitor our Domain Controllers using QRadar SIEM to generate alerts when events such as this happen, but right now what's happening is that we're getting alerts for any time an admin account is involved in a change, even if the change is an admin-level account is resetting a user's password. That's common behavior, and is not what we want to monitor. What we want to monitor is if the admin-level account is the target of the password change/reset, account modification, or being added to an Administrator-level group. Is there an event or set of events dedicated to what happens to accounts in an Administrative-level group?

 

Cheers

0 Replies