I have done this
4729: A member was removed from a security-enabled global group
Computer Configuration
└── Windows Settings
└── Security Settings
└── Advanced Audit Policy Configuration
└── Audit Policies
└── Account Management
and activated the unparsed logs to see the 4729 into our IDR.
Is this the only way to get 4729 into IDR?
@aalves1 out of the box the WMI AD event source will send the entire contents of the security log to the Raw Log log set, from there you can build you queries or detections for any events which aren’t sent to a parsed logset such as AD Admin Activity
What you have outlined regarding the audit policy is a necessary step to ensure the events are being audited also
@david_smith There is one thing that I couldn’t find over the internet but a co-worker mention was to give this managing rights to the account
I’m not sure I follow, are you asking how to audit these events or are you saying you gave rights to the service account for the event source? The event source doesn’t make any auditing changes on your behalf
I gave rights to the account… Now I am questioning myself if I need this action. Assuming that the Account doesn’t have DOmain Admin rights - I did the WMI rights configuration.
I assume these logs are being pulled for the domain controller.
Rapid7 has documentation on what rights are needed for a non domain admin account are needed to pull the log events. - Non-Admin Domain Controller Account | InsightIDR Documentation
I would suggest starting there.