You are going to need to grab logs from the desktop as well, as those have the "unlock" and "lock" instances, many times users remain logged in and you get tons of background authentication noise.
You can also marry that with Kerberos ticket requests, but that is a whole next level of noise. One way to reduce the noise would be ignoring machine accounts (accounts ending in $), focusing on the specific user. Much of the noise is attributed to Audit Policies at the domain level as well, so getting that correctly tuned is key. My best results came from Audit Policies and matching specific desktop events with Domain logon/logoff , as you can then filter out the connection to shared drives and such All the best Grant On Friday, May 31, 2019 at 4:21:05 AM UTC-4, Kyriakos Stavridis wrote: > > Hello everyone. > > I am trying to use OSSEC to monitor the logons and logoffs by employees on > our Active Directory server. > > The problem is that there is too much noise generated by the AD and I > cannot find a way to isolate the events I need monitored to get the correct > results. > > The AD server generates about 5-6 events everytime a user logs on or logs > off (logon Event ID 4624, logoff Event ID 4634). > > The desirable result is to have alerts like : "User 'X' performed a logon" > / "User 'X' performed a logoff". > > OSSEC by default has windows logon and logoff rules (4624, 4634) but they > trigger at each event with these IDs and you cannot have a specific result, > too much noise is generated. > > Has anyone implemented successfully the monitoring of user logons/logoffs > to the AD server with OSSEC? How can I isolate the noise and get the > desirable results? > > Thanks in advance! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/59bf0c74-9814-49f6-89ab-f41cb0b045b5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
