HI everyone,
Im looking to setup monitoring of account creation and deletions inside of active directory. Has anyone found a solutions for this?
Thanks!
Event Log monitoring. Syncro has some built in or you can add your own, just make sure you test it’s actually working. Powershell scripts that check the event log provide more flexibility in reporting (maybe you want to exclude some kinds of alerts or users for example) where as Syncro will be all or nothing. Active Directory Logs: Monitor AD Security and Performance - Active Directory Pro
Go to Policies → Event Log Policies → Add New Event Log Policy → New Event Log Query
Custom Queries
Event ID Name (Source) Message
(Microsoft-Windows-Security-Auditing)
4724 account password reset %
4720 user account was created %
4726 user account was deleted %
1 Like
Do you have this working? Does it still alert if you do more several matches in a 15 min period?
My experience with event monitoring when I was trying to use logon monitoring was that I couldn’t figure out how to filter events enough to be very specific, and if to many events happened between 15 min polling intervals Syncro just wouldn’t fire an alert.
After trying to make event monitoring work on several things I’ve mostly given up using Syncro for event monitoring and just use powershell scripts, either run from Syncor directly or use the event to trigger a scheduled task that runs a script.
The OP was asking about account creation and deletions, not login events. You are correct about the 15 minutes polling. What I posted does work for the OP use case. The Event log monitor is good enough for big things that should not happen often or without an alert. If you want real-time security monitoring alerts, you may want to look into a XDR or SIEM platform. Like Wazuh. But if Powershell scripts work for you, then that’s a win. The ability to run powershell scripts and feed the results back to syncro has solved many issues for me as well.
I have tried the event viewer approach, but that has not yielded the results I was looking for. Im going to explorer the Power Shell script approach next. Any advise on how to get started that way?
Oh yes I understand what the original question was. But if all I have to do to bypass your monitoring is create 5-10 accounts and delete all but the one I want to keep its a factor that needs to be considered when deciding if the solution covers the intended use case. If your just trying to catch if your just trying to catch when one of your techs or the internal IT guy creates a new account your right it would be very low volume, if you’re trying to catch someone malicious doing stuff you have to know the limitations of your monitoring.
Can you go into a bit more detail on what the results you’re looking for are? Are you hoping for realtime alerting user creation and deletion events or to know you have an accurate list of Users and group memberships logged somewhere? I guess the really critical thing is how close to real time do you need it to be, is once a day fine or are you pulling your hair out because 15 min is way to long, or somewhere in the middle