Home

Monitor changes to administrative users

Brian Brehart
Occasional Visitor

Greetings,

I'm trying to monitor whenever a change occurs to an administrator-level user. Whether it be a password change/reset, adding someone to the Local or Domain Admin group, or changes to the account once added to the Admin group(s). Are there logs or events that will allow me to monitor just events that happen to Administrator-level accounts?

 

I should mention that the plan is to monitor our Domain Controllers using QRadar SIEM to generate alerts when events such as this happen, but right now what's happening is that we're getting alerts for any time an admin account is involved in a change, even if the change is an admin-level account is resetting a user's password. That's common behavior, and is not what we want to monitor. What we want to monitor is if the admin-level account is the target of the password change/reset, account modification, or being added to an Administrator-level group. Is there an event or set of events dedicated to what happens to accounts in an Administrative-level group?

 

Cheers

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies