-
Title
How to audit a specific OU and its member activity? -
Description
There isn't any default real-time rule for monitoring a specific OU and its member activity
-
Resolution
Step 1: To create rule with the filter
1. Under Real time-Monitoring, right click "Rules" and create a new group.
2. Right click on the newly created group and create a new rule.
3. Select single event, select Windows Security log and click Next
4. Select Windows Security log custom filter
5. Here you can select what you want to filter, lets focus on filtering event for a specific OU
6. Select Event ID, click edit, remove the default ID and click ADD
7. Type whatever event ID you want to monitor, you can refer to InTrust for AD event log in your Active Directory event viewer
8. Select IS#1, here is where you specified the OU that you want to monitor.
9. Click on edit, remove the default value, click ADD and type in *,ou=[The ou that you want to monitor],DC=[Domain],DC=[Domain]
For example: *,ou=INTRUST_TESTING,DC=rt-testlab,DC=com
In this case, we are monitoring an OU called INTRUST_TESTING
10. Click Next, type the a name for your rule and click Finish.
11. Right click on the rule you created, click properties and check that "Enabled" and click OK.
12. Commit Changes
Step 2: To create policy
1. Under Real Time monitoring, right click on policies and create new policy
2. Type a name for your policy and click next
3. Click Add, select the Site you want to monitor
4. Click next, click add and select the rule you created
5. Click next and check the Notify selected operators if a rule is triggered
6. Click add and select the default notification operator, click next and next again
7. Right click on the policy and click activate.