Real-Time alert "Group Member Added by Unauthorized Personnel"

Does anyone know how to monitor all groups for a specific OU in Active Directory?




  • Hi jc,

    You should use the function in_OU which is described here

    In the advanced rule editor (Matching tab, Advanced button) change the rule in the following way, add Target OU argument into "agruments" section and in_OU handler in the body:

    <rule type="REL" version="1.0">
    <argument displayname="Authorized_Groups" name="Authorized_Groups" class="List" description="A list of groups for managing groups in an organization">
    <argument displayname="Authorized_Users" name="Authorized_Users" class="List" description="A list of user accounts for managing groups in an organization">
    <argument displayname="Skipped_Target_Groups" name="Skipped_Target_Groups" class="List" description="A list of groups to exclude from monitoring">
    <argument displayname="Target_Groups" name="Target_Groups" class="List" description="A list of groups to monitor">
    <argument displayname="Target_OUs" name="Target_OUs" class="List" description="A list of OUs to monitor">

    def common(OperatorDomain, OperatorName, MemberAccount) :=
    not in( strcat( OperatorDomain, "\\", OperatorName ), "wi", array(<parameter name="Authorized_Users"/>) )
    and not in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Skipped_Target_Groups"/>) )
    and in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Target_Groups"/>) )
    and not is_current_user( OperatorDomain, OperatorName )
    and not member_of( strcat( OperatorDomain, "\\", OperatorName ), array(<parameter name="Authorized_Groups"/>), true )
    and in_OU(OperatorDomain, OperatorName, array(<parameter name="Target_OUs"/>), true )
    and set_alert_field("OperatorName", OperatorName, true)
    and set_alert_field("OperatorDomain", OperatorDomain, true)
    and set_alert_field("MemberAccount", MemberAccount, true)


    (EventID = 632 or EventID = 636 or EventID = 660 or EventID = 655 or EventID = 665 or EventID = 650)
    and striequ( Source, "security" )
    and common(String7, String6, String13)
    (EventID = 4728 or EventID = 4732 or EventID = 4756 or EventID = 4761 or EventID = 4751 or EventID = 4746)
    and common(String8, String7, String12)

  • It didn't work. XML verified ok. Thoughts?
  • (suggestion)
    #1. Create alert from oob alert template (monitor all groups in OU), or if not available, something close with alert scope (objects in OU). Review and edit XML body of the alert.
    #2. Maybe create ad\my_group and oob alert: monitor all groups (objects) memberOf the ad\my_group?
  • Did you change OperatorDomain and OperatorName to String4 and String3? I apologize I posted the temporary rule text, it should be of course "and in_OU(String4, String3, array(<parameter name="Target_OUs"/>), true )", because here you check the location of the group, not the operator.