Active Directory log search comes up mostly empty

David_Williams · September 27, 2021, 9:09pm

Hi guys, I’m still kind of new to IDR but I’ve been digging into logs and queries and stuff lately and have a number of potential issues I am trying to figure out. This one in particular is where I’ve searched the AD logs for “MEMBER_ADDED_TO_SECURITY_GROUP” for the last 30 days and it only shows 7 log entries. I know this is inaccurate because we add/remove people from security groups multiple times per week. If the log search was broken or it was a bad query, I would expect nothing to show up. The fact that only some show up tells me there is something wrong somewhere - that or I am searching the wrong thing in the wrong way.

I have also tried an Advanced query of “where(action=“MEMBER_ADDED_TO_SECURITY_GROUP”)groupby(source_user)” with same results.

I have a case # 00806105

david_smith · September 27, 2021, 9:16pm

Hi David,

can you verify which event code you are expecting to see which is not showing in log search?

You can see the list of default event codes here Active Directory | InsightIDR Documentation

We have 4728 and 4732 as well as 4756 related to group membership, global, local and universal.

Perhaps the event codes you are looking for fall outside of the scope of this list? In which case you would see them in unparsed if you have send unfiltered events turned on for the event source.

One thing I’d recommend is verifying that the audit policy is configured correctly to log the events you are looking for. Perhaps taking the action and verifying that the event is logged in the security log in the event viewer.

David

David_Williams · September 27, 2021, 9:34pm

Thanks David Smith, I will check to see if the other events show up. I did configure the audit policy a while back to make sure these events are being logged but maybe I missed something.

SDavis · September 27, 2021, 10:21pm

@David_Williams,

For any group removals, if you verify those are being logged on your AD side, simply go into each of your domain controller event sources, check the box for unfiltered logs, and then look for those in the raw logs.

David_Williams · September 28, 2021, 6:17pm

Hey guys, thanks for the help. I checked everything over last night as far as logs we are sending from AD and everything appears good. Going back to search IDR today and the logs seem to be showing up now.

SDavis · September 29, 2021, 12:44pm

@David_Williams,

Just an fyi, but if you are trying to collect all the event codes for your AD and asset authentication logs, you could try the following query I’ve had success with. Now I’ve run this query against all my event sources in the following log sets:

Active Directory Admin Activity
Asset Authentication
Raw Logs for Active Directory Admin Activity
Unparsed Logs for Active Directory Admin Activity

where(/eventCode":(?P<event_code>[^,]*)/)groupby(event_code)limit(1000)