diff --git a/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md b/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md index 2bdbb7c4d4..16fbf46848 100644 --- a/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md +++ b/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md @@ -15,14 +15,14 @@ following templates: | ------------- | --------------- | ---------------- | ---- | | | AD: Failed Account Authentications | Gathers Failed AD Authentications.
Utilizes built-In “Failed Authentications” – Include Perpetrators Collection to define which accounts will be monitored for failed authentications. Add accounts to be monitored to this collection. | None | | | AD: Successful Account Authentications | Gathers Successful AD Authentications.
Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection. | None | -| | AD: Successful Account Logons | No customizations required. Most common modification: specify a list of users (AD Objects) to be included or excluded.
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy.Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is _Off_ for this policy. | None | +| | AD: Successful Account Logons | No customizations required. Most common modification: specify a list of users (AD Objects) to be included or excluded.
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy.Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is _Off_ for this policy. | None | | Administrative Accounts | AD: Domain Administrators Logons to Non Domain Controllers | Gathers logon events of Domain Administrator accounts to non-domain controller computes.
Utilizes built-In “Domain Administrators” – Include Perpetrators Collection to define which accounts will be monitored for logons. Add accounts which have domain administrator rights to be monitored to this collection.
Also utilizes built-In “Domain Controllers” – Hosts Collection to define which hosts will NOT be monitored for logons. Add domain controllers to be ignored to this collection. | None | | Administrative Accounts | AD: Failed Administrator Account Authentications | Gathers AD: Failed Administrator Account Authentications.
Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for failed authentications. | None | | Administrative Accounts | AD: Successful Administrator Account Authentications | Gathers Successful AD Authentications for Administrators.
Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for successful authentications. Add accounts with administrative rights to be monitored to this collection. | None | -| Administrative Accounts | AD: Successful Administrator Account Logons | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy | None | +| Administrative Accounts | AD: Successful Administrator Account Logons | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy | None | | Service Accounts | AD: Failed Service Account Authentications | Gathers Failed AD Authentications for service accounts.
Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for failed authentications. Add service accounts to be monitored to this collection | None | | Service Accounts | AD: Successful Service Account Authentications | Gathers Successful AD Authentications for service accounts.
Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for successful authentications. Add service accounts to be monitored to this collection | None | -| Service Accounts | AD: Successful Service Account Logons | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy. | None | +| Service Accounts | AD: Successful Service Account Logons | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy. | None | **Groups Folder** @@ -76,8 +76,8 @@ being locked down or blocked. | Template | Description | TAGS | | ------------------------- | -------------------------- | ---- | -| AD Replication Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Prevents Active Directory data synchronization requests from non-domain controllers using RPC call IDL_DRSGetNCChanges. Add legitimate domain controllers to be inored in one of the following ways to prevent them from being blocked: See the [AD Replication Lockdown Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationlockdown.md) topic for additional information. | None | -| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored.
Alternatively, add legitimate domain controllers to be ignored in one of the following ways: See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None | +| AD Replication Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Prevents Active Directory data synchronization requests from non-domain controllers using RPC call IDL_DRSGetNCChanges. Add legitimate domain controllers to be inored in one of the following ways to prevent them from being blocked: See the [AD Replication Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationlockdown.md) topic for additional information. | None | +| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored.
Alternatively, add legitimate domain controllers to be ignored in one of the following ways: See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None | **Server-Workstation Folder**