Active Directory Audit
Version: Active Directory Windows Server 2012,Windows Server 2012 R2,Windows Server 2008,Windows 8 and Windows 7.
Active Directory addresses the Windows default audit policy settings, baseline recommended audit policy settings, and the more aggressive recommendations from Microsoft, for workstation and server products. The SCM baseline recommendations shown here, along with the settings recommend to help detect compromise, are intended only to be a starting baseline guide to administrators. Each organization must make its own decisions regarding the threats they face, their acceptable risk tolerances, and what audit policy categories or subcategories they should enable.
Netsurion Open XDR monitors user logon behaviour, access point configuration changes, WLAN group management and service status and generates flex reports, flex dashboards and alerts for rogue access point detected and system state changed.
Netsurion Data Source Integration for Active Directory allows you to monitor the following components:-
- Security – Kerberos authentication operations and DPAPI activities.
- Compliance – Account logon and management events.
- Operation – Service changes/replication, process termination and RPC events.
After the Active Directory is configured to deliver events to the Netsurion Open XDR, the dashboards and reports can be configured into Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | Active Directory-Audit Kerberos authentication | This alert is generated when a Kerberos authentication ticket is requested or failed. |
| Security | Active Directory-Audit DPAPI activity | This alert is generated when backup or recovery of data protection master key is attempted. |
| Operations | Active Directory-Audit detailed directory service replication | This alert is generated when an Active Directory replica source naming context was established, removed, modified or failed. |
| Compliance | Active Directory-Account management activities | This alert is generated when any account is created, deleted, changed, enabled or disabled in Windows Active Directory. |
| Compliance | Active Directory-Account logon events | This alert is generated when any successful logon, successful log off, special privileges logon or Logon failures done in Windows Active Directory. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Active Directory-Audit Kerberos authentication | This report provides details about all the Kerberos authentication services. |
| Security | Active Directory-Audit Kerberos service ticket operations | This report provides details about all the Kerberos service ticket operations, whether it was requested or renewed. |
| Security | Active Directory-Audit DPAPI activity | This report provides all Audit DPAPI protocol activity. |
| Operations | Active Directory-Audit RPC events | This report provides details about all the RPC events that was attempted. |
| Operations | Active Directory-Audit process termination | This report provides all the terminated or exited process details. |
| Operations | Active Directory-Audit directory service replication | This report provides all the directory service replication details. |
| Operations | Active Directory-Audit detailed directory service replication | This report provides the details about an Active Directory replica source naming context if it is established, removed, modified or failed. |
| Operations | Active Directory-Audit directory service changes | This report provides all the directory configuration changes such as a directory being created, deleted, modified, moved or undeleted. |
| Compliance | Active Directory-Account management activities | This report provides all the details about an account if it is created, deleted, changed, enabled or disabled in Windows Active Directory. |
| Compliance | Active Directory-Account logon events | This report provides details about all the successful logon, successful log off, special privileges logon and Logon failures done in Windows Active Directory. |
| Compliance | Active Directory-Audit other account logon events | This report provides details about all the account logon events. |
Documentation
The configuration details are consistent with Netsurion Open XDR 7.x or later, Active Directory Windows Server 2012, Windows Server 2012 R2, Windows Server 2008, Windows 8 and Windows 7.
Download Integration Guide for configuration instructions and more information.