Active Directory Audit Powershell Change Alert. Part 2

In the previous article, I published my first post on Habré. In the continuation of the topic was going to write the second part.

In the comments to the first part, I casually mentioned that I expanded the functionality of monitoring scripts for server connections. In particular, I added notifications to the XMPP (Jabber) instant messaging service, as well as writing a log to a separate text file.

Instant Alert.

What is so good is the instant notifications, because there is no need to constantly check email for new messages - messages come themselves and make themselves known immediately (Depending on the client’s settings, of course).
Personally for myself, I have to open messages on top of all windows. Of course, to avoid spamming himself, such alerts are sent to critical events.
I took the critically important ones: unsuccessful attempts to log on to the domain controllers, unsuccessful attempts to log in to the VPN service (PPTP on WIndows). Also added this feature to monitoring scripts for AD. Because I have access to AD with several people, over time, you can lose the thread of actual data (something, once, someone deleted / moved / added and you are not aware). And these messages will be just the way to know in real time about the changes.
')

Search solutions

When I got the idea of ​​this kind of alert (given the fact that we have a fairly active Jabber-service in our organization), the first thing I did was scoring to google Powershell Jabber . The first link I was sent to the site is not unknown in the open spaces of the Microsoft Technet Xaerg forums . What I saw there could not but make me happy: “Did you know that the NetCmdlets tooling, which includes cmdlets for working with a huge number of network protocols, is available for free for non-commercial use?”
And a list of available commands. “This is what I need, and even for free !!!” - I thought and was upset when I went to the developer’s website for this toolset cmdlets, it turns out they don’t have a free version, there is only a trial for 1 month, after which you need to re-request the key. Only after that I noticed the date of the article, it turned out to be 2008 - too old: (.
For the sake of experiment I downloaded the trial version. Installed on the server on which I want to use alerts. Installation took place with a bang. Immediately became available new commandlet. Their syntax is quite simple and there were no problems with sending messages. For a while, I used this trial license, re-registering it once a month. But the feeling that you are using the trial version depressed me, even more depressed by the fact that it is necessary to register it every month for each server where it is installed. And since at that moment a little less than 30 servers were present in the infrastructure, even the thought of registering at least once a month on all servers horrified me.
When it became more free over time, I decided to finish this idea. It was necessary to have a tool that allows using Powershell to send messages using the XMPP protocol. In this case, an important factor should be the conditions of use of this tool - it should be free.

I started tormenting Google again. And my efforts were not in vain. In one great click, I got to the page with the utility , which just allows you to send messages from the PS-console using the XMPP-protocol.
I was particularly pleased with the inscription in the title of the page: Project Hosting for Open Source Software. What made me think that this product is free to use is just what I need.

Audit of unsuccessful attempts to log on to the server, with notification by e-mail, Jabber-service, and writing to the log file.

#    WIndowsEventLog       ,      Body $HostName = HostName $Body=Get-WinEvent -FilterHashtable @{LogName="Security";ID=4625} | Select TimeCreated,@{n="User";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetUserName"} | %{$_.'#text'}}},@{n="ComputerName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "WorkstationName"}| %{$_.'#text'}}},@{n="IPAddress";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "IPAddress"}| %{$_.'#text'}}} | select-object -first 1 #$BodyL -      - $BodyL = "`n"+$Body.TimeCreated +"`t"+ $Body.User +"`t"+ $Body.ComputerName +"`t"+ $Body.IPAddress #$Body -           Jabber $Body = "`n: "+$Body.TimeCreated +"`n : "+ $Body.User +"`n-: "+ $Body.ComputerName +"`nIP : "+ $Body.IPAddress #$Theme -  . $Hostname -   $Theme = "     "+$hostname # Jabber- Add-PSSnapin poshxmpp new-client -JabberId AUDIT@domain.ru -Password PASSWORD Send-Message admin@domain.ru "$Theme $Body" $PoshXmppClient.Close() #    e-mail    $Subject = "     "+$hostname $Server = "mail.domain.ru" # SMTP  $From = "audit@domain.ru" #   $To = "admin@domain.ru" #  $pass = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("AUDIT" , $pass) $encoding = [System.Text.Encoding]::UTF8 # e-mail Send-MailMessage -From $From -To $To -SmtpServer $server -Body "$Theme `n$Body" -Subject $Subject -Credential $cred -Encoding $encoding #    - FaildConnect.txt $BodyL | out-file "\ServerNameServerLogFilesServerFaildConnect.txt" -append 

As I wrote in the first part , for the script to automatically work it is necessary to place it in the task scheduler and configure the launch of this script when an event with ID = 4625 is detected in the Security log.

Recommendations.

It is these scripts that I work on the VPN server and on all domain controllers.
Now I always know when and who connects to the VPN, for example. Or when someone tries to pick up a password for access to the server.
I also recommend hanging such a script on those services that “shine” on the Internet, for example, terminal access services.
And writing to a separate file will allow you, in the future, to analyze connections. By the way, the log can be opened via the spreadsheet editor (MS Excel or OO Calc) and you can work with the log as a table (sort, filter, etc.).