search

cisagov / LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
https://www.cisa.gov/resources-tools/services/logging-made-easy
Other
823 stars 64 forks source link

Create Privilege Activity and Credential Access log Dashboards for end of July release. #337

Open safiuddinr opened 3 months ago

ddiabe commented 3 months ago

Working on two Active Directory Dashboards (AD) for end of July release.

ddiabe commented 2 months ago

This dashboard will be made of specific active directory policies and their subcategories such as,

  1. Account logon (Audit credentials validation, Audit kerberos authentication services, Audit other accounts log events &Audit- kerberos services ticket operations)

  2. Privilege use (Audit non sensitive privilege use events, Audit other privilege use events, Audit sensitive privilege use)

  3. Detailed tracking (Audit process creation, audit process termination, audit RPC Events)

  4. logon/logoff (Audit Account lockout, Audit logoff, Audit logon, Audit Network Policy server, Audit special logon, Audit group member, Audit another logon/logoff)

ddiabe commented 2 months ago

The idea will be to have a section on the dashboard of each of those categories/subcategories listed above.

The first step of this project will be to trigger the AD logs of each of those categories/sub-categories.

The second step will be to view logs in the event viewer within the domain controller (DC1).

Third step will be to identify those logs and their event id numbers in Kibana.

The fourth step, which is the last, will be to create dashboards from those logs.