Security Monitoring–Updating Service Created on DC Rule

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.

One piece of feedback that I’ve seen in regards to security monitoring is noise due to services created on a domain controller. In general, this should not be a common event, but occasionally legitimate applications do create services on a domain controller. As such, I’ve done a minor rewrite of this rule to allow for an override for up to 5 services.

There’s a couple things worth noting.

First, this does not replace the rule that runs on all systems that generates alerts for known threats such as wince or psexec. Yes, both of those tools have legitimate uses, and if you’re using them in your organization, then I do recommend turning off that rule.

That said, there’s a second rule targeted only to Windows Domain controllers which will alert any time a service is created on a DC. Again, this is typically not common in an environment, but if you’re an exception to this, read on.

All you need to do is create an override:

image

That’s pretty straight forward. It’s worth noting that this is using a contains operator against parameter 2 of the event. There’s not much to this particular parameter, but if you’re troubleshooting and having issues, you’ll want to verify the value in the 7045 event that is created. It must match.

image

These updates will be in the next Security Monitoring MP. If you wish to test these, hit me up on linked in.