Active Directory Audit Integration

Active Directory Audit

Version: Active Directory Windows Server 2012,Windows Server 2012 R2,Windows Server 2008,Windows 8 and Windows 7.

Active Directory addresses the Windows default audit policy settings, baseline recommended audit policy settings, and the more aggressive recommendations from Microsoft, for workstation and server products.The SCM baseline recommendations shown here, along with the settings recommend to help detect compromise, are intended only to be a starting baseline guide to administrators. Each organization must make its own decisions regarding the threats they face, their acceptable risk tolerances, and what audit policy categories or subcategories they should enable.

Netsurion's Open XDR platform monitors user logon behaviour, access point configuration changes, WLAN group management and service status and generates flex reports, flex dashboards and alerts for rogue access point detected and system state changed.

Netsurion Data Source Integration for Active Directory allows you to monitor the following components:-

Security - Kerberos authentication operations and DPAPI activities.
Compliance - Account logon and management events.
Operation - Service changes/replication, process termination and RPC events.

After the Active Directory is configured to deliver events to the Netsurion's Open XDR platform, the dashboards and reports can be configured into Netsurion's Open XDR platform.

Some of the Data Source Integrations available in Netsurion are listed below.

Alerts

Type	Name	Description
Security	Active Directory-Audit Kerberos authentication	This alert is generated when a Kerberos authentication ticket is requested or failed.
Security	Active Directory-Audit DPAPI activity	This alert is generated when backup or recovery of data protection master key is attempted.
Operations	Active Directory-Audit detailed directory service replication	This alert is generated when an Active Directory replica source naming context was established, removed, modified or failed.
Compliance	Active Directory-Account management activities	This alert is generated when any account is created, deleted, changed, enabled or disabled in Windows Active Directory.
Compliance	Active Directory-Account logon events	This alert is generated when any successful logon, successful log off, special privileges logon or Logon failures done in Windows Active Directory.

Reports

Type	Name	Description
Security	Active Directory-Audit Kerberos authentication	This report provides details about all the Kerberos authentication services.
Security	Active Directory-Audit Kerberos service ticket operations	This report provides details about all the Kerberos service ticket operations, whether it was requested or renewed.
Security	Active Directory-Audit DPAPI activity	This report provides all Audit DPAPI protocol activity.
Operations	Active Directory-Audit RPC events	This report provides details about all the RPC events that was attempted.
Operations	Active Directory-Audit process termination	This report provides all the terminated or exited process details.
Operations	Active Directory-Audit directory service replication	This report provides all the directory service replication details.
Operations	Active Directory-Audit detailed directory service replication	This report provides the details about an Active Directory replica source naming context if it is established, removed, modified or failed.
Operations	Active Directory-Audit directory service changes	This report provides all the directory configuration changes such as a directory being created, deleted, modified, moved or undeleted.
Compliance	Active Directory-Account management activities	This report provides all the details about an account if it is created, deleted, changed, enabled or disabled in Windows Active Directory.
Compliance	Active Directory-Account logon events	This report provides details about all the successful logon, successful log off, special privileges logon and Logon failures done in Windows Active Directory.
Compliance	Active Directory-Audit other account logon events	This report provides details about all the account logon events.

Documentation

The configuration details are consistent with Netsurion's Open XDR platform version 7.x or later, Active Directory Windows Server 2012, Windows Server 2012 R2, Windows Server 2008, Windows 8 and Windows 7.

Download Integration Guide for more information.