You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|| AD: Failed Account Authentications | Gathers Failed AD Authentications. <br />Utilizes built-In “Failed Authentications” – Include Perpetrators Collection to define which accounts will be monitored for failed authentications. Add accounts to be monitored to this collection. | None |
17
17
|| AD: Successful Account Authentications | Gathers Successful AD Authentications. <br />Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection. | None |
18
-
|| AD: Successful Account Logons | No customizations required. Most common modification: specify a list of users (AD Objects) to be included or excluded. <br />Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy.Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is _Off_ for this policy. | None |
18
+
|| AD: Successful Account Logons | No customizations required. Most common modification: specify a list of users (AD Objects) to be included or excluded. <br />Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy.Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is _Off_ for this policy. | None |
19
19
| Administrative Accounts | AD: Domain Administrators Logons to Non Domain Controllers | Gathers logon events of Domain Administrator accounts to non-domain controller computes. <br />Utilizes built-In “Domain Administrators” – Include Perpetrators Collection to define which accounts will be monitored for logons. Add accounts which have domain administrator rights to be monitored to this collection. <br />Also utilizes built-In “Domain Controllers” – Hosts Collection to define which hosts will NOT be monitored for logons. Add domain controllers to be ignored to this collection. | None |
20
20
| Administrative Accounts | AD: Failed Administrator Account Authentications | Gathers AD: Failed Administrator Account Authentications. <br />Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for failed authentications. | None |
21
21
| Administrative Accounts | AD: Successful Administrator Account Authentications | Gathers Successful AD Authentications for Administrators. <br />Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for successful authentications. Add accounts with administrative rights to be monitored to this collection. | None |
22
-
| Administrative Accounts | AD: Successful Administrator Account Logons | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection <br />Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy | None |
22
+
| Administrative Accounts | AD: Successful Administrator Account Logons | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection <br />Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy | None |
23
23
| Service Accounts | AD: Failed Service Account Authentications | Gathers Failed AD Authentications for service accounts. <br />Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for failed authentications. Add service accounts to be monitored to this collection | None |
24
24
| Service Accounts | AD: Successful Service Account Authentications | Gathers Successful AD Authentications for service accounts. <br />Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for successful authentications. Add service accounts to be monitored to this collection | None |
25
-
| Service Accounts | AD: Successful Service Account Logons | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection <br />Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy. | None |
25
+
| Service Accounts | AD: Successful Service Account Logons | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection <br />Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy. | None |
| AD Replication Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Prevents Active Directory data synchronization requests from non-domain controllers using RPC call IDL_DRSGetNCChanges. Add legitimate domain controllers to be inored in one of the following ways to prevent them from being blocked: <ul><li>Allow Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers</li><li>Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers</li></ul> See the [AD Replication Lockdown Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationlockdown.md) topic for additional information. | None |
80
-
| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored. <br />Alternatively, add legitimate domain controllers to be ignored in one of the following ways: <ul><li>Exclude Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers</li><li>Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers</li></ul> See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None |
79
+
| AD Replication Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES <br />Prevents Active Directory data synchronization requests from non-domain controllers using RPC call IDL_DRSGetNCChanges. Add legitimate domain controllers to be inored in one of the following ways to prevent them from being blocked: <ul><li>Allow Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers</li><li>Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers</li></ul> See the [AD Replication Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationlockdown.md) topic for additional information. | None |
80
+
| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored. <br />Alternatively, add legitimate domain controllers to be ignored in one of the following ways: <ul><li>Exclude Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers</li><li>Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers</li></ul> See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None |
0 commit comments