Domain policy is critical to ensuring that all policy changes are made only by users with the appropriate access. It is also critical in ensuring only those with job-specific roles can make policy changes. The Domain Policy Content Pack helps system administrators track, report, and update domain policy changes in their environment as well as privileged security group membership changes. Tracking users making changes to these items is critical for identifying suspicious modifications and fixing them in a timely manner.
Content Pack Components
Alarms
The alarms in this content pack are designed to highlight potential high-risk events. When triggered, they will generate a visual alert as well as create an alarm event.
- Domain Policy - Suspect Domain Changes
- Domain Policy - Suspect Local Changes
Views
- Domain Security Group Changes
- GPO Changes by User
- Local Security Group Changes Dest SID
- Local Security Group Changes Dest User
- Group Policy Errors
Reports
- Domain Policy - Weekly Policy Overview
Correlation Rules
- Domain Policy - Domain Policy Changed
- Domain Policy - Group Policy Object Deleted
- Domain Policy - Group Policy Object Created
- Domain Policy - Group Policy Object Changed
- Domain Policy - Suspicious Domain Privilege Changes
- Domain Policy - Suspicious Local Privilege Changes
- Domain Policy - User Added to Domain Security Group
- Domain Policy - User Added to Local Security Group
- Domain Policy - User Removed from Domain Security Group
- Domain Policy - User Removed from Local Security Group
Watchlists
The Domain Policy – Security Groups watchlist is an object watchlist for Active Directory security groups important to the organization. It can be altered to better fit the environment.
- Domain Policy - Security Groups
Required Products
- McAfee Enterprise Security Manager (ESM) 11.x, 10.x
- McAfee Advanced Correlation Engine (ACE) 11.x, 10.x
Download Content Pack
Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.
Read Article