AD CS Health and Monitoring
Macros used
| Name | Value |
|---|---|
| {$CSDB_PATH} | c:\windows\Systen32\CertLog |
Items collected
| Name | Description | Type | Interval | Key and additional info |
|---|---|---|---|---|
| Certificate Services Events | - | ZABBIX_ACTIVE | 5m | eventlog[Application,,"Warning|Error|Critical","Microsoft-Windows-CertificationAuthority"] |
| CertificationAuthority (ID15) | Active Directory Certificate Services did not start: Version does not match certif.dll. | ZABBIX_ACTIVE | 5m | eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^15$] |
| CertificationAuthority (ID55) | Active Directory Certificate Services unrevoked the certificate for request %1 for %2. | ZABBIX_ACTIVE | 5m | eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^55$] |
| CertificationAuthority (ID60) | Active Directory Certificate Services refused to process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize registry parameter via certutil -setreg CA\MaxIncomingMessageSize <bytes>. Unless verbose logging is enabled, this error will not be logged again for 20 minutes. | ZABBIX_ACTIVE | 5m | eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^60$] |
| CertificationAuthority (ID95) | Security permissions are corrupted or missing. The Active Directory Certificate Services may need to be reinstalled. | ZABBIX_ACTIVE | 5m | eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^95$] |
| Windows Security (ID4657) | - | ZABBIX_ACTIVE | 30s | eventlog[Security,,,,^4657$] |
| Windows Security (ID4868) | The certificate manager denied a pending certificate request. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4868$] |
| Windows Security (ID4870) | Certificate Services revoked a certificate. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4870$] |
| Windows Security (ID4873) | A certificate request extension changed. Request ID: %1 Name: %2 Type: %3 Flags: %4 Data: %5 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4873$] |
| Windows Security (ID4874) | One or more certificate request attributes changed. Request ID: %1 Attributes: %2 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4874$] |
| Windows Security (ID4882) | The security permissions for Certificate Services changed. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4882$] |
| Windows Security (ID4883) | Certificate Services retrieved an archived key. Request ID: %1 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4883$] |
| Windows Security (ID4885) | The audit filter for Certificate Services changed. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4885$] |
| Windows Security (ID4887) | Certificate Services approved a certificate request and issued a certificate. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4887$] |
| Windows Security (ID4888) | Certificate Services denied a certificate request. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4888$] |
| Windows Security (ID4890) | The certificate manager settings for Certificate Services changed. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4890$] |
| Windows Security (ID4891) | A configuration entry changed in Certificate Services. Node: %1 Entry: %2 Value: %3 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4891$] |
| Windows Security (ID4892) | A property of Certificate Services changed. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4892$] |
| Windows Security (ID4896) | One or more rows have been deleted from the certificate database. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4896$] |
| Windows Security (ID4897) | Role separation enabled: %1 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4897$] |
| Windows Security (ID4898) | Certificate Services loaded a template. %1 v%2 (Schema V%3) %4 %5 Template Information: Template Content: %7 Security Descriptor: %8 Additional Information: Domain Controller: %6 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4898$] |
| Windows Security (ID4899) | A Certificate Services template was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %8 New Template Content: %7 Additional Information: Domain Controller: %6 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4899$] |
| Windows Security (ID4900) | Certificate Services template security was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %9 New Template Content: %7 Old Security Descriptor: %10 New Security Descriptor: %8 Additional Information: Domain Controller: %6 | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^4900$] |
| Windows Security (ID5120) | OCSP Responder Service Started | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^5120$] |
| Windows Security (ID5121) | OCSP Responder Service Stopped | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^5121$] |
| Windows Security (ID5122) | A configuration entry changed in OCSP Responder Service | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^5122$] |
| Windows Security (ID5123) | A configuration entry changed in OCSP Responder Service | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^5123$] |
| Windows Security (ID5124) | A security setting was updated on the OCSP Responder Service. | ZABBIX_ACTIVE | 5m | eventlog[Security,,,,^5124$] |
| Failed Requests/sec | This monitor returns the number of failed certificate requests processed per second. | - | - | perf_counter_en[\Certification Authority(_Total)\Failed Requests/sec] |
| Pending Requests/sec | This monitor returns the number of pending certificate requests processed per second. | - | - | perf_counter_en[\Certification Authority(_Total)\Pending Requests/sec] |
| Requests/sec | This monitor returns the number of certificate requests processed per second. | - | - | perf_counter_en[\Certification Authority(_Total)\Requests/sec] |
| Retrievals/sec | This monitor returns the number of certificate retrieval requests processed per second. | - | - | perf_counter_en[\Certification Authority(_Total)\Retrievals/sec] |
| State of service "certsvc" (Certificate Services) | - | - | - | service.info[certsvc,state] |
| CertDB Size | - | - | 24h | vfs.dir.size["{$CSDB_PATH}"] |
Triggers
| Name | Description | Expression | Priority | Dependencies |
|---|---|---|---|---|
| AD CS did not start: Version does not match certif.dll. | - | logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^15$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^15$],600s)=0 | HIGH ⛔ | CertificationAuthority (ID15) |
| AD CS unrevoked the certificate for request | - | logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^55$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^55$],600s)=0 | WARNING 📢 | CertificationAuthority (ID55) |
| AD CS refused to process an extremely long request. | - | logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^60$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^60$],600s)=0 | HIGH ⛔ | CertificationAuthority (ID60) |
| Security permissions are corrupted or missing. | - | logseverity(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^95$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Application,,,"Microsoft-Windows-CertificationAuthority",^95$],600s)=0 | HIGH ⛔ | CertificationAuthority (ID95) |
| An attacker could remove specific certificate types (Registry) | This value controls what types of certificates remain on a CRL even after the certificate expires. An attacker could remove specific certificate types (such as Code Signing) that would allow a previously revoked certificate that malware was signed with to validate successfully again after the next CRL publication.This value is not changed during normal CA operation. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","EKUOIDsForPublishExpiredCertInCRL")=1 | HIGH ⛔ | Windows Security (ID4657) |
| Role separation enabled (Registry) | Role separation allows for a CA to tightly control the rights of a specific user and enforce that all users can only have one role on the system (CA Admin, Cert Issuer, administrator, Auditor). A local administrator can always disable role separation, which may allow an account who should not have rights to perform an operation to be eligible for those rights. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","RoleSeparationEnabled")=1 | HIGH ⛔ | Windows Security (ID4657) |
| The audit filter for Certificate Services changed (Registry) | The audit filter controls which Microsoft Windows® Security Auditing events are logged. Changing the audit filter may indicate an attacker attempting to disable logging prior to performing a certificate operation. Normally the audit filter is configured when the CA is created and not changed after. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","AuditFilter")=1 | HIGH ⛔ | Windows Security (ID4657) |
| The new value enables EDITF_ATTRIBUTESUBJECTALTNAME2 (Registry) | Alert if the new value enables EDITF_ATTRIBUTESUBJECTALTNAME2. This can be identified by taking the value found in the “New Value” field and performing a bitwise “AND” operation with 262144 (the decimal value for the bitmask for the EDITF_ATTRIBUTESUBJECTALTNAME2 value). Adding this value will allow any certificate request to contain arbitrary alternative names. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","EditFlags")=1 | AVERAGE ⚠ | Windows Security (ID4657) |
| The Policy Modules have been changed (Registry) | Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","Active")=1 | HIGH ⛔ | Windows Security (ID4657) |
| The Policy Modules have been changed (Registry) | Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","PolicyModules")=1 | HIGH ⛔ | Windows Security (ID4657) |
| The security permissions for Certificate Services changed (Registry) | Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","Object Value Name: Security")=1 | HIGH ⛔ | Windows Security (ID4657) |
| Was changed KRACertHash (Registry) | This will happen rarely in normal operations and an attacker who has control of a valid KRA certificate could assign it to a CA to get access to any private keys that are subsequently archived on the CA. | count(/AD CS Health and Monitoring/eventlog[Security,,,,^4657$],90s,"like","KRACertHash")=1 | WARNING 📢 | Windows Security (ID4657) |
| The certificate manager denied a pending certificate request. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4868$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4868$],600s)=0 | WARNING 📢 | Windows Security (ID4868) |
| Certificate Services revoked a certificate. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4870$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4870$],600s)=0 | WARNING 📢 | Windows Security (ID4870) |
| A certificate request extension changed. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4873$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4873$],600s)=0 | WARNING 📢 | Windows Security (ID4873) |
| One or more certificate request attributes changed. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4874$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4874$],600s)=0 | WARNING 📢 | Windows Security (ID4874) |
| The security permissions for Certificate Services changed. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4882$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4882$],600s)=0 | HIGH ⛔ | Windows Security (ID4882) |
| Certificate Services retrieved an archived key. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4883$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4883$],600s)=0 | WARNING 📢 | Windows Security (ID4883) |
| The audit filter for Certificate Services changed. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4885$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4885$],600s)=0 | HIGH ⛔ | Windows Security (ID4885) |
| Certificate Services approved a certificate request and issued a certificate. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4887$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4887$],600s)=0 | WARNING 📢 | Windows Security (ID4887) |
| Certificate Services denied a certificate request. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4888$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4888$],600s)=0 | WARNING 📢 | Windows Security (ID4888) |
| The certificate manager settings for Certificate Services changed. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4890$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4890$],600s)=0 | WARNING 📢 | Windows Security (ID4890) |
| A configuration entry changed in Certificate Services. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4891$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4891$],600s)=0 | WARNING 📢 | Windows Security (ID4891) |
| A property of Certificate Services changed. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4892$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4892$],600s)=0 | WARNING 📢 | Windows Security (ID4892) |
| One or more rows have been deleted from the certificate database. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4896$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4896$],600s)=0 | WARNING 📢 | Windows Security (ID4896) |
| Role separation enabled | If role separation is used, this can be used to trigger an alert if the expected configuration changes. | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4897$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4897$],600s)=0 | WARNING 📢 | Windows Security (ID4897) |
| Certificate Services loaded a template. | Alert if templates that are not expected on a CA are loaded. | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4898$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4898$],600s)=0 | WARNING 📢 | Windows Security (ID4898) |
| A Certificate Services template was updated. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4899$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4899$],600s)=0 | WARNING 📢 | Windows Security (ID4899) |
| Certificate Services template security was updated. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^4900$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^4900$],600s)=0 | WARNING 📢 | Windows Security (ID4900) |
| OCSP Responder Service Started | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5120$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5120$],600s)=0 | WARNING 📢 | Windows Security (ID5120) |
| OCSP Responder Service Stopped | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5121$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5121$],600s)=0 | WARNING 📢 | Windows Security (ID5121) |
| A configuration entry changed in OCSP Responder Service | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5122$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5122$],600s)=0 | WARNING 📢 | Windows Security (ID5122) |
| A configuration entry changed in OCSP Responder Service | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5123$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5123$],600s)=0 | WARNING 📢 | Windows Security (ID5123) |
| A security setting was updated on the OCSP Responder Service. | - | logseverity(/AD CS Health and Monitoring/eventlog[Security,,,,^5124$])>1 and nodata(/AD CS Health and Monitoring/eventlog[Security,,,,^5124$],600s)=0 | HIGH ⛔ | Windows Security (ID5124) |
| "Certsvc" (Certificate Services) is not running | The service has a state other than "Running" for the last three times. | min(/AD CS Health and Monitoring/service.info[certsvc,state],#3)<>0 | AVERAGE ⚠ | State of service "certsvc" (Certificate Services) |