Events collected by Cayosoft Guardian from the Windows Event Log related to the Active Directory operations

To discover the initiator and additional information for the changes collected from the Active Directory, Cayosoft Guardian also collects events from Security event logs of all Domain Controllers in the target domain. This article describes collected events and provides additional information on how to enable reporting of these events by AD DS.

How to enable additional security events required for the initiator detection

1. From the Domain Controller, click Start, point to Administrative Tools, and then Group Policy Management.
2. From the console tree, click the name of your forest > Domains > your domain, then right- click on the relevant Default Domain or Domain Controllers Policy (or create your own policy), and then click Edit.
3. Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy, then double-click the relevant policy setting.

The following policies must be enabled for Cayosoft Guardian:

1. Select Logon/Logoff policy and enable Success events for the Audit Account Lockout subcategory
2. Select Account Management policy and enable Success events for the Audit User Account Management subcategory.
3. Select Account Management policy and enable Success events for the Audit Security Group Management subcategory.
4. Select DS Access. The value of Directory Service Access should be set to Success.

How to configure your domain for auditing of read operations of BitLocker and LAPS passwords

To configure Cayosoft Guardian for auditing of read access operations in Active Directory of BitLocker and LAPS passwords, the following steps should be performed.

1. To configure SACL to generate events when someone attempts to read BitLocker or LAPS password, run the attached script on the domain controller with parameters Set- SACLforReadOperations -BitLocker -LAPS.
2. Go to Configuration > Jobs.
3. In filters, select Event collection jobs.
4. Find a job for a selected domain and double-click on it.
5. Double-click on the action Collect Active Directory Audit Logs.
6. Click Add value under Collect read-access events for the following properties.
7. Add all required attribute names such as ms-Mcs-AdmPwd, ms-Mcs- AdmPwdEpirationTime, msTPM-OwnerInformation, msFVE-KeyPackage, msFVE- RecoveryPassword, msFVE-VolumeGuid, and msFVE-RecoveryGuid.
8. Press Save.
9. To see logged events, go to Change Monitoring > Event Log.

You might also consider adjusting the retention policy for events to keep them for a longer period: Managing retention rules in Cayosoft Guardian.

List of events collected by Cayosoft Guardian

Event ID	Description	Usage in Cayosoft Guardian
4662	This event generates every time when an operation was performed on an Active Directory object. This event generates only if an appropriate SACL was set for the Active Directory object and performed operation meets this SACL. If the operation failed, then a Failure event will be generated. You will get one 4662 for each operation type that was performed.	This event is used to detect the initiator for the most changes that occurred in the Active Directory. Cayosoft Guardian applies necessary changes to Active Directory in case the Audit option was enabled in Add domain wizard. To collect events related to read operations, attributes must be specified in the Event Collection Job (see the Events collected by Cayosoft Guardian from the Windows Event Log related to the Active Directory operations section above).
4740	This event generates every time a user account is locked out.	This event is used to detect the initiator for account lockout operation. To enable this event, the corresponding group policy should be enabled as described in this article.
4625	This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out. It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.	This event is used to detect the initiator for account lockout operation. To enable this event, the corresponding group policy should be enabled as described in this article.
4767	This event generates every time a user account is unlocked.	This event is used to detect the initiator for an account unlock. To enable this event corresponding group policy should be enabled as described in this article.
4780	Every hour, the Domain Controller that holds the primary Domain Controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.	This event is used to detect the initiator for ACL modifications related to AdminSDHolder object changes. To enable this event, the corresponding group policy should be enabled as described in this article.
4735	This event generates every time a security- enabled (security) local group is changed.	This event is used to detect the initiator for ACL modifications related to AdminSDHolder object changes. To enable this event, the corresponding group policy should be enabled as described in this article.
4737	This event generates every time a security- enabled (security) global group is changed. This event is similar to event 4735, but it is generated for a global security group instead of a local security group.	This event is used to detect the initiator for ACL modifications related to AdminSDHolder object changes. To enable this event, the corresponding group policy should be enabled as described in this article.
4738	This event generates every time a user object is changed. For each change, a separate 4738 event will be generated.	This event is used to detect the initiator for ACL modifications related to AdminSDHolder object changes. To enable this event, the corresponding group policy should be enabled as described in this article.
4723	This event generates every time a user attempts to change his or her password.	This event is used to detect the initiator for the password change operation. To enable this event corresponding group policy should be enabled as described in this article.
4724	This event generates every time an account attempts to reset the password for another account.	This event is used to detect the initiator for the password reset operation. To enable this event corresponding group policy should be enabled as described in this article.