/
AD Audit

AD Audit

Owned by Ryan Seymour, created
Last updated: Feb 11, 2025
5 min read

You can find this module at the Company level only.

This syncing process starts from the agent action menu and syncs Active Directory data every 15 minutes. It includes data for AD Users, Computers, OUs, and Groups.

We are triggering Alerts by taking the data from AD Audit and mapping this against the AD Audit Event Set Group, as shown below.

NOTE: AD Audit is only supported on a ‘Domain Controller’ where Active Directory Services and Role(s) are installed.

NOTE: The AD Audit Event Set alerts are available for any integration that supports the Event Set options. You must be inside one of the integration tiles to see the ‘Event Set’ section:

image-20240412-195018.png
image-20240412-195123.png
image-20240529-192012.png
CS-Video.png

Visit our YouTube Channel for more video content: https://www.youtube.com/@connectsecure

Table of Contents

AD Audit - Details

Access the AD Audit from the Active Directory category.

The AD Audit dashboard will not populate until the Active AD Audit is executed. To do so, click on the Action menu from any installed agent (probe or LWA) and tap the Activate AD Audit:

image-20240729-173728.png

Tap on the Activate AD Audit option to start the syncing, which occurs every 15 minutes.

image-20240729-173806.png

The syncing process can be stopped by using the Deactivate AD Audit option.

image-20240318-133536.png

Activate AD: This activates the Active Directory scan on the agent. Data is published to the Active Directory and AD Summary panels.

Deactivate AD: This will turn off the Active Directory scanning from the agent.

Activate AD Audit: This will activate the Active Directory scan every 15 minutes. Data is published in the AD Audit, Problems, Active Directory, and AD Summary sections.

Deactivate AD Audit: This will stop the 15-minute scan and stop the AD Audit data from being populated.

Tap the AD Audit option under Active Directory to access the dashboard and data panels.

image-20240318-133726.png

AD Audit presents a dashboard with metrics for Event Stats, User Stats, and Enabled/Disabled Users.

image-20240207-190153.png

Active Directory - AD Audit - Details

Event Stats

This graph contains the following data points:

  • A directory service object was created (Success)

  • A group service object was modified (Success)

  • A logon was attempted using explicit credentials (Success)

  • A security-enabled local group was deleted

  • A session was disconnected from a Windows Station (Success)

  • A session was reconnected from a Windows Station (Success)

  • An attempt was made to reset an account password

  • Login Failure

  • Login Success

  • The workstation was locked (Success)

  • The workstation was unlocked (Success)

  • User Account was created

  • User Account was enabled

image-20240207-191419.png

User Stats

This graph contains the user account data points based on activity.

image-20240207-191615.png

Enabled and Disabled Users

This graph shows the % of disabled vs enabled users.

image-20240207-191643.png

AD User Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

image-20240207-191932.png

AD Computer Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

image-20240207-191945.png

AD OU Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

image-20240207-192013.png

AD Group Audit

This section contains the following data fields:

  • Event Name

  • Event ID

  • Target User Name

  • Target Domain Name

  • Session Name

  • Client Name

  • Client Address

  • Computer Name

  • Channel

  • Provider Name

image-20240207-192039.png

AD Audit - Toolbar Options

image-20250210-183621.png

Date Filter

Tap to set a date filter on the data tables below.

Alerts

View our timeline style of System Events captured for each company. You can set an optional date filter range to target a specific date range of events.

image-20250206-143947.png

Info

Tap here to view your V4 Getting Started Info.

https://cybercns.atlassian.net/wiki/x/MIDKfw

Help Link

image-20250206-144503.png

Click to access the related documentation page; this link is functional on all screens and will take you to the appropriate documentation page.

Layout Settings

Here, you can change the UI look and feel using various options, including the Theme for color, the Scheme for dark and light mode, the Layout for toolbar and module positions, and the toggle to set the table view default.

I prefer the Teal color, Light mode, and Classic layout with an asset table view.

image-20250206-150338.png

Get Support

Our support team is here to help. Use one of three options to start a support request.

  1. Email to support@connectsecure.com

  2. Login to our Freshdesk partner portal at https://cybercns.freshdesk.com

image-20240206-144508.png

Related content