We had a requirement to monitor when Domain Admins changed their password so that we could pass our PCI Audit for this year. Mostly the issue came out of the fact that a hacker could just as easily change a domain admin password as they could create a new account in domain admins. I was already monitoring domain admins for new accounts getting added/removed, this just seemed like the next step.
I came up with this method to be able to monitor our Domain Controllers with Nitro and then send me a notification/report.
1. Create a Watchlist
call it whatever you want, but make it a destination user type and then choose an assignee.
2. Input all of your Domain Admins into the Watchlist
3. After creating the watchlist, then go into Alarms and create a new alarm.
Give it a name
choose an assignee
4. Go to the Condition tab and choose “specified event rate”, set the event count to “1”, and choose the time frame as 10 minutes. This is needed to trigger the alarm when you need it to fire.
5. then click on the filter icon, for your query filter choose the following:
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
Under select a device, choose all of your domain controllers. We have two domains so we are monitoring several machines.
6. Now here is where the magic comes in and the best alerting you can setup. Under actions, choose Generate Report and then click configure
Here you are going to create a new report that lists the userid field and any other information you want. You will also choose your email recipients here so that you can be notified when a domain admins password has changed. Since the parameters from the alarm will not be passed to the report you will need to choose a few things for the filter at the bottom to keep it to what you are looking for.
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
set the time range to the last 10 minutes
7. click Finish, you now have an alarm that will be triggered when a domain admin changes their password.
Breathe Underwater 