LoFP LoFP / t1484

t1484

TitleTags
false positives will most likely be present based on risk scoring and how the organization handles system to system communication. filter, or modify as needed. in addition to count by analytics, adding a risk score may be useful. in our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. your organization will be different, monitor and modify as needed.
general usage of group policy will trigger this detection, also please not gpos modified using tools such as sharpgpoabuse will not generate the ad audit events which enable this detection.
group policy objects are created as part of regular administrative operations, filter as needed.
in most organizations, domain federation settings will be updated infrequently. filter as needed.
in most organizations, new customm domains will be updated infrequently. filter as needed.
legitimate administrative activity
legitimate execution by system administrators.
legitimate use
none.
saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
the default group policy objects within an ad network may be legitimately updated for administrative operations, filter as needed.
users allowed to perform these modifications (user found in field subjectusername)
when a gpo is manually edited and 5136 events are not logging to splunk.
when there is a change to ntsecuritydescriptor, windows logs the entire acl with the newly added components. if existing accounts are present with this permission, they will raise an alert each time the ntsecuritydescriptor is updated unless whitelisted.