Hello OSSEC gurus! I'm looking for a hint.
I have an administrator that changed a Windows GPO on a critical object at the domain level, for example, changing min password length from 13 to 8. I'm trying to find the event and then find the user that did it. I know the date/time, but don't know the Windows event ID or keyword I can search on. With approximately 1 million events per hour and the domain controllers logging the most data, it's needle meet haystack time. We currently send Level 7+ events to our log management system, and couldn't seem to find anything interesting there. So I'm headed into the OSSEC alert data. Each day has about 8 GB of uncompressed alerts. Can anyone identify the Windows event ID that corresponds to changing a domain GPO? Any other hints on how I can find this? Thanks, Steve
