Using Nitro to monitor Domain Admin Password Changes

We had a requirement to monitor when Domain Admins changed their password so that we could pass our PCI Audit for this year. Mostly the issue came out of the fact that a hacker could just as easily change a domain admin password as they could create a new account in domain admins. I was already monitoring domain admins for new accounts getting created, this just seemed like the next step.

I came up with this method to be able to monitor with Nitro and then send me a report.

1. Create a Watchlist
call it whatever you want, but make it a destination user type and then choose an assignee.

2. Input all of your Domain Admins into the Watchlist

3. After creating the watchlist, then go into Alarms and create a new alarm.
Give it a name
choose an assignee

4. Go to the Condition tab and choose “specified event rate”, set the event count to “1”, and choose the time frame as 10 minutes. This is needed to trigger the alarm when you need it to fire.

5. then click on the filter icon, for your query filter choose the following:
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
Under select a device, choose all of your domain controllers. We have two domains so we are monitoring several machines.

6. Now here is where the magic comes in and the best alerting you can setup. Under actions, choose Generate Report and then click configure
Here you are going to create a new report that lists the userid field and any other information you want. You will also choose your email recipients here so that you can be notified of when a domain admins password has changed. Since the parameters from the alarm will not be passed to the report you will need to choose a few things for the filter at the bottom to keep it to what you are looking for.
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
set the time range to the last 10 minutes

7. click Finish, you now have an alarm that will be triggered when a domain admin changes their password.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.