立即与支持人员聊天
与支持团队交流

Change Auditor for Active Directory 7.3 - Event Reference Guide

Configuration Monitoring

Active Directory Share Added

Created when an Active Directory share has been added to a server.

Medium

Active Directory Share Removed

Created when an Active Directory share has been removed from a server.

High

Append Parent Suffixes Option Changed

Created when the append parent suffixes of the primary DNS suffix option is changed.

Medium

Application Partition Replica Added

Created when a DN for an application partition is added to the msDS-hasMasterNCs attribute of an nTDSDSA object.

Medium

Application Partition Replica Removed

Created when a DN for an application partition is removed from the msDS-hasMasterNCs attribute of an nTDSDSA object.

High

Connection DNS Registration Option Changed

Created when the register connection in DNS option on a network connection is changed.

Medium

Connection Object Added

Created when an nTDSConnection object is added to the NTDS Settings container.

Medium

Connection Object Removed

Created when an nTDSConnection object is removed from the NTDS Settings container.

Medium

Connection-specific DNS Suffix Changed

Created when the connection-specific DNS suffix changes.

Medium

Contents of DNS Server List Changed

Created when a DNS server is added or removed from the DNS server list.

Medium

Contents of DNS Suffix List Changed

Created when a suffix is added or removed from the DNS suffix list.

Medium

Contents of WINS Server List Changed

Created when a server is added or removed from the WINS server list.

Medium

Critical Link Failures Allowed Parameter Changed

Created when the CriticalLinkFailuresAllowed parameter on a DC is changed.

Medium

Default Gateway Changed

Created when the default gateway changes on a network connection.

Low

DHCP Disabled

Created when DHCP is disabled on a network connection.

Low

DHCP Enabled

Created when DHCP is enabled on a network connection.

Low

DIT Location Changed

Created when the directory path of the DIT is changed.

Low

Domain Controller Added as Preferred Bridgehead Server

Created when a domain controller is configured as a preferred bridgehead server for a particular replication transport.

Medium

Domain Controller Moved to Another OU

Created when a domain controller is moved to another OU.

Medium

Domain Controller Removed as Preferred Bridgehead Server

Created when a domain controller is removed as a preferred bridgehead server for a particular replication transport.

Medium

Domain Controller Service Pack Applied

Created when a service pack is applied to a domain controller.

Medium

Domain Controller Service Pack Rolled Back

Created when a service pack is removed from a domain controller.

Medium

DS Database Logging and Recover Option Changed

Created when the logging and recovery option of Active Directory is changed.

Low

DS Hierarchy Table Evaluation Interval Changed

Created when the hierarchy table evaluation interval on the DC is changed.

Medium

DS Log File Location Changed

Created when the directory path of the DS log file is changed.

Low

Hotfix Applied

Created when a hot fix is applied.

Medium

Hotfix Rolled Back

Created when a hot fix is removed. (Disabled by Default)

Medium

Intersite Failures Allowed Parameter Changed

Created when the IntersiteFailuresAllowed parameter is changed on a DC.

Medium

IP Deny List Entry Added

Created when an entry is added to the IP deny list of an LDAP query policy object.

Medium

IP Deny List Entry Removed

Created when an entry is removed from the IP deny list of an LDAP query policy object.

Low

IPSEC Settings Changed

Created when the IPSEC settings for a network connection are changed.

Medium

KCC Delay After Startup Changed

Created when the amount of time the KCC delays after startup before re-computing the replication topology is changed.

Medium

KCC Site Generator Failover Interval Changed

Created when the interval after which a new Intersite Topology Generator (ISTG) is nominated if no ISTG identity is updated in the directory is changed.

Medium

KCC Site Generator Renewal Interval Changed

Created when the interval at which the Intersite Topology Generator (ISTG) publishes its identity in the directory is changed.

Medium

KCC Update Interval Changed

Created when the interval at which the KCC on the domain controller runs is changed.

Medium

Kerberos Diagnostic Log Level Changed

Created when the diagnostic log level for the Kerberos service is changed.

Medium

Linked Query Policy for Domain Controller Changed

Created when the lDAPAdminLimits attribute of a query policy object referred to by the querypolicyObject attribute of the nTDSDSA object for the domain controller was changed.

Low

Max Failure Time for Intersite Link Parameter Changed

Created when the MaxFailureTimeForIntersiteLink value is changed on a domain controller.

Medium

Max Failure Time for Non-critical Link Parameter Changed

Created when the Maximum Failure Time value for non-critical links is changed on a domain controller.

Medium

MaxFailureTimeForCritical Link Parameter Changed

Created when the MaxFailureTimeForCriticalLink parameter is changed on a domain controller.

Medium

Maximum Number of DS Threads Changed

Created when the number of threads used by the DS service is changed.

Medium

NetBIOS Setting Changed

Created when the NETBIOS setting on a network connection is changed.

Medium

NIC Added

Created when a NIC is added to the host computer.

Low

NIC Disabled

Created when a NIC is disabled on the host computer.

Medium

NIC Enabled

Created when a NIC is enabled on the host computer.

Medium

NIC Removed

Created when a NIC is removed from the host computer.

Low

Non-critical Link Failures Allowed Flag Changed

Created when the Non-critical Link Failures value is changed on a domain controller.

Low

Preferred Bridgehead Setting Changed

Created when the bridgeheadTransportList attribute of a server is changed.

Medium

Processor Speed Changed

Created when the processor speed of the DC is changed.

Low

Query Policy Link for Domain Controller Changed

Created when the queryPolicyObject attribute of the nTDSDSA is changed.

Low

Query Policy Setting Changed

Created when query policy settings of an existing query policy object have changed.

Low

Raw IP Allowed Protocols List Changed

Created when the contents of the Raw IP Allowed Protocols list are changed.

Medium

Replicator Notify Pause After Modify Delay Changed

Created when the notify pause value is changed on a domain controller.

Medium

Schema Modifications Allowed Flag Changed

Created when a domain controller is configured to allow schema modifications.

High

Static IP Address Changed

Created when the static IP address changes on a network connection.

Low

Subnet Mask Changed

Created when the subnet mask changes on a network connection.

Low

SYSVOL Location Changed

Created when the SYSVOL location is changed on a domain controller.

Low

TCP Allowed Port List Changed

Created when the contents of the TCP Allowed Port list are changed.

Medium

TCP/IP Filtering Changed

Created when the TCP/IP Filtering option is changed on a network connection.

Medium

UDP Allowed Port List Changed

Created when the contents of the UDP Allowed Port list are changed.

Medium

Update DNS on All Adapters Setting Changed

Created when Active Directory’s setting that controls the adapters on which a DC updates DNS is changed.

Medium

Use Connection Suffix in DNS Registration Option Changed

Created when the use this connection’s DNS suffix in DNS registration option is changed.

Medium

Use LMHOSTS Option Changed

Created when the LMHOSTS option on a network connection is changed.

Low

Use of Dynamic DNS Changed

Created when Active Directory’s use of dynamic DNS has been changed.

Medium

Use Primary and Connection Specific Suffixes Flag Changed

Created when the primary and connection-specific suffixes flag changes on a domain controller.

Medium

 

Connection Object

Connection Object From-server Changed

Created when the from-server of a connection object is changed.

Medium

Connection Object Schedule Changed

Created when a change is detected in the schedule attribute of a connection object.

Medium

Connection Object Transport Changed

Created when the transport type of a connection object is changed.

Medium

Custom AD Object Monitoring

<Object> <Attribute> Changed

Created when an attribute changes on an object that the user has opted to audit using the Active Directory Attribute Auditing page on the Administration Tasks tab in the Change Auditor client.

To eliminate duplicate events, you can remove the user attribute from the Active Directory Attribute Auditing page which prevents the custom attribute event from being generated.

Medium

Computer Changed

Created when an object is added, moved, removed, or renamed in a computer object.

Medium

Group Changed

Created when an object is added, moved, removed, or renamed in a group object.

Medium

User Changed

Created when an object is added, moved, removed, or renamed in a user object.

Medium

Custom Computer Monitoring

AdminCount attribute changed on computer object

Created when the adminCount attribute is changed on a computer.

Medium

Computer Account Disabled

Created when the computer account is disabled.

Medium

Computer Account Enabled

Created when the computer account is enabled.

Medium

Computer Added

Created when a computer account object is added to the domain.

Medium

Computer Moved

Created when a computer account object is moved within the domain.

Medium

Computer Removed

Created when a computer account object is removed from the domain.

Medium

Computer Renamed

Created when a computer account object is renamed.

Medium

Computer Service Pack Applied

Created when a service pack is applied to the computer.

Medium

Computer Service Pack Rolled Back

Created when a service pack is uninstalled from the computer.

Medium

DACL Changed on Computer Object

Created when the DACL is changed for the computer object.

Medium

Dynamic Computer Object Added

Created when a dynamic computer object is added to a container.

Medium

Dynamic Computer Object Changed

Created when a dynamic computer object is modified.

Medium

Dynamic Computer Object Removed

Created when a dynamic computer object is removed from a container.

Medium

Inheritance Setting Changed on Computer Object

Created when the inheritance setting of a computer object is changed.

Medium

Irregular domain controller registration activity detected

Created when irregular domain controller registration activity detected on a computer.

DCShadow is a command within Mimikatz that simulates the behavior of a domain controller to push changes to an Active Directory domain through replication, bypassing most of the common security controls.

The following SPN serviceclass values are considered suspicious, and the event is generated when they are added to the servicePrincipalName attribute:

High

Owner Changed on Computer Object

Created when the owner of a computer object is changed.

Medium

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级