detection.wiki

Microsoft-Windows-Security-Auditing › Event 4929

Event ID 4929 — An Active Directory replica source naming context was removed.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
DS Access → Detailed Directory Service Replication
Collection Priority
Recommended (ASD, others)
Opcode
Info

Description

An Active Directory replica source naming context was removed.

Message #

An Active Directory replica source naming context was removed.

Destination DRA: %1
Source DRA: %2
Source Address: %3
Naming Context: %4
Options: %5
Status Code: %6

Fields #

NameDescription
Destination_DRA
Source_DRA
Source_Address
Naming_Context
Options UInt64Options
Status_Code

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4929,
    "version": 1,
    "level": 0,
    "task": 14083,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2021-04-27T11:04:45.557748Z",
    "event_record_id": 138520244,
    "correlation": {
      "#attributes": {
        "ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
      }
    },
    "execution": {
      "process_id": 548,
      "thread_id": 5276
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DestinationDRA": "CN=NTDS Settings,CN=ROOTDC1,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
    "SourceDRA": "-",
    "SourceAddr": "jump01.offsec.lan",
    "NamingContext": "DC=offsec,DC=lan",
    "Options": 16,
    "StatusCode": 8452
  }
}

References #