Windows Security Log Event ID 4928
4928: An Active Directory replica source naming context was established
On this page
Directory Service replication has little to no security relevance. I recommend disabling these 2 subcategories:
Directory Service Replication
Detailed Directory Service Replication
Since DCSync and DCShadow have come out I've changed my mind about the above statement. Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz
Free Security Log Resources by Randy
Supercharger Enterprise
Load Balancing for Windows Event Collection
An Active Directory replica source naming context was established.
Destination DRA: CN=NTDS Settings,CN=WIN-R9H529RIO4Y,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source DRA: CN=NTDS Settings,CN=WIN-857ZZX6RQHL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme-fr,DC=local
Source Address: 0b63afed-1e41-43a3-8bc2-f33dc33942ea._msdcs.acme-fr.local
Naming Context: DC=acme-fr,DC=local
Options: 352
Status Code: 0
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection