Message Image

Log in

Skip to main content (Press Enter).

Skip auxiliary navigation (Press Enter).

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

Start collaborating

Join us for IBM TechXchange Day: AI and Automation

Skip main navigation (Press Enter).

IBM Security QRadar

View Only

Expand all | Collapse all

Shared Folder or File

Beko ResitiWed May 15, 2024 05:03 PM

How to identify from logs or how to find from Qadar logs or from Log source which privileged user (or ...

Joao CaetanoThu May 16, 2024 05:27 AM

You can start by looking for this event ID -- 5136(S): A directory service object was modified -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136 ...

1. Shared Folder or File

0 Like
Beko Resiti
Posted Wed May 15, 2024 05:03 PM
Edited by Beko Resiti Wed May 15, 2024 05:04 PM

Reply
How to identify from logs or how to find from Qadar logs or from Log source which privileged user (or domain admin) or group policy has given right to access to the "shared folder or file" for a single domain user? Is there a possible way to find it out when the permissions of folder have been changed for a single CN or OU in order to get access to the specific shared folder in windows server environment?

------------------------------
Beko Resiti
------------------------------
2. RE: Shared Folder or File

0 Like
Joao Caetano
Posted Thu May 16, 2024 05:27 AM

Reply
You can start by looking for this event ID -- 5136(S): A directory service object was modified -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136

Auditing logs must be enabled on Windows to get these events and forward them to QRadar.

------------------------------
Joao Caetano
------------------------------

Original Message

Powered by Higher Logic