This analytic looks for audit policies being disabled on a domain controller.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2023-01-26
- Author: Dean Luxton
- ID: fc3ccef1-60a4-4239-bd66-b279511b4d14
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 `wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure removed")) dest_category="domain_controller" | replace "%%8448" with "Success removed", "%%8450" with "Failure removed", "%%8448, %%8450" with "Success removed, Failure removed" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`
The SPL above uses the following Macros:
windows_ad_domain_controller_audit_policy_disabled_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
The SPL above uses the following Lookups:
List of fields required to use this analytic.
How To Implement
Ensure you are ingesting EventCode
4719 from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search.
Known False Positives
Associated Analytic Story
|60.0||100||60||GPO $SubCategory$ of $Category$ was disabled on $dest$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1