AD Audit
- Ryan Seymour
What is AD Audit?
Active Directory Auditing in short.
This syncing process starts from the agent action menu and syncs Active Directory data every 15 minutes. It includes data for AD Users, Computers, OUs, and Groups.
We are triggering Alerts by taking the data from AD Audit and mapping this against the AD Audit Event Set Group, as shown below.
NOTE: AD Audit is only supported on a ‘Domain Controller’ where Active Directory Services and Role(s) are installed.
NOTE: The AD Audit Event Set alerts are available for any integration that supports the Event Set options. You must be inside one of the integration tiles to see the ‘Event Set’ section:
Active Directory - AD Audit - Table of Contents
Active Directory - AD Audit - Overview
Enable AD Audit requires an agent to be installed directly on the domain controller(s). You can use the LWA or Probe agent for the AD Audit scan.
You must enable Audit Events in Active Directory to use the AD Audit function in ConnectSecure
See Scan Types | Active Directory Scan for complete information on getting this enabled.
The AD Audit dashboard will not populate until the Active AD Audit is executed. To do so, click on the Action menu from any installed agent (probe or LWA) and tap the Activate AD Audit:
Tap on the Activate AD Audit option to start the syncing, which occurs every 15 minutes.
The syncing process can be stopped by using the Deactivate AD Audit option.
Activate AD: This activates the Active Directory scan on the agent. Data is published to the Active Directory and AD Summary panels.
Deactivate AD: This will turn off the Active Directory scanning from the agent.
Activate AD Audit: This will activate the Active Directory scan every 15 minutes. Data is published in the AD Audit, Problems, Active Directory, and AD Summary sections.
Deactivate AD Audit: This will stop the 15 minute scan and stop populating AD Audit data.
Tap the AD Audit option under Active Directory to access the dashboard and data panels.
AD Audit presents a dashboard with metrics for Event Stats, User Stats, and Enabled/Disabled Users.
Active Directory - AD Audit - Details
Event Stats
This graph contains the following data points:
A directory service object was created (Success)
A group service object was modified (Success)
A logon was attempted using explicit credentials (Success)
A security-enabled local group was deleted
A session was disconnected from a Windows Station (Success)
A session was reconnected from a Windows Station (Success)
An attempt was made to reset an account password
Login Failure
Login Success
The workstation was locked (Success)
The workstation was unlocked (Success)
User Account was created
User Account was enabled
User Stats
This graph contains the user account data points based on activity.
Enabled and Disabled Users
This graph shows the % of disabled vs enabled users.
AD User Audit
This section contains the following data fields:
Event Name
Event ID
Target User Name
Target Domain Name
Session Name
Client Name
Client Address
Computer Name
Channel
Provider Name
AD Computer Audit
This section contains the following data fields:
Event Name
Event ID
Target User Name
Target Domain Name
Session Name
Client Name
Client Address
Computer Name
Channel
Provider Name
AD OU Audit
This section contains the following data fields:
Event Name
Event ID
Target User Name
Target Domain Name
Session Name
Client Name
Client Address
Computer Name
Channel
Provider Name
AD Group Audit
This section contains the following data fields:
Event Name
Event ID
Target User Name
Target Domain Name
Session Name
Client Name
Client Address
Computer Name
Channel
Provider Name
Active Directory - AD Audit - Action Toolbar Overview
The standard Alerts are available from the side toolbar.
Â
Need Support?
Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.
https://cybercns.freshdesk.com/en/support/login
Â