Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
panelIconId1f914
panelIcon:thinking:
panelIconText🤔
bgColor#DEEBFF

What is AD Audit?

Active Directory Auditing in short.

This is a syncing process that starts from the probe agent action menu and syncs Active Directory data every 15 minutes. It includes the data for AD Users, AD Computers, AD OUs, and AD Groups data.

We are triggering Alerts by taking the data from AD Audit and mapping this against the AD Audit event set group.

image-20240318-132348.pngImage Removed

AD Audit Event Set Group, as shown below.

NOTE: AD Audit is only supported on a ‘Domain Controller’ where Active Directory Services and Role(s) are installed.

NOTE: The AD Audit Event Set alerts are available for any integration that supports the Event Set options. You must be inside one of the integration tiles to see the ‘Event Set’ section:

image-20240412-195018.pngImage Addedimage-20240412-195123.pngImage Addedimage-20240529-192012.pngImage Added

...

Active Directory - AD Audit - Table of Contents

Table of Contents
minLevel1
maxLevel6
include
outlinefalse
indent
excludeActive Directory - AD Audit - Table of Contents
typelist
class
printablefalse

...

Active Directory - AD Audit - Overview

Infonote
  1. Enable AD Audit requires an agent to be installed directly on the domain controller(s). You can use the LWA or Probe agent for the AD Audit scan.

  2. You must enable Audit Events in

order
  1. Active Directory to use the AD Audit function

.
  1. in ConnectSecure

See https://cybercns.atlassian.net/wiki/spaces/CVB/pages/2103410704/V4+Scan+Types#Active-Directory-Scan for complete information on getting this enabled.

The AD Audit dashboard will not populate until the Active AD Audit is executed. To do so, click on the Action menu from any installed agent (probe or LWA) .

...

and tap the Activate AD Audit:

...

Tap on the Activate AD Audit option to start the syncing, which occurs every 15 minutes.

...

Info

Activate AD: This activates the Active Directory scan on the agent. Data is published to the Active Directory and AD Summary panels.

Deactivate AD: This will turn off the Active Directory scanning from the agent.

Activate AD Audit: This will activate the Active Directory scan every 15 minutes. Data is published to in the AD Audit, Problems, Active Directory, and AD Summary sections.

Deactivate AD Audit: This will stop the 15 minute scan and stop populating AD Audit data.

...

AD Audit presents a dashboard with metrics for Event Stats, User Stats, and Enabled/Disabled Users.

...

Active Directory - AD Audit - Details

Event Stats

This graph contains the following data points:

  • A directory service object was created (Success)

  • A group service object was modified (Success)

  • A logon was attempted using explicit credentials (Success)

  • A security-enabled local group was deleted

  • A session was disconnected from a Windows Station (Success)

  • A session was reconnected from a Windows Station (Success)

  • An attempt was made to reset an account password

  • Login Failure

  • Login Success

  • The workstation was locked (Success)

  • The workstation was unlocked (Success)

  • User Account was created

  • User Account was enabled

...

User Stats

This graph contains the user account data points based on activity.

...

Enabled and Disabled Users

This graph shows the % of disabled vs enabled users.

...

AD User Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

...

AD Computer Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

...

AD OU Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

...

AD Group Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

...

Active Directory - AD Audit - Action Toolbar Overview

The standard Alerts are available from the side toolbar.

...

...

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

...