How do I monitor changes in Active Directory?

No matter how big or small you are, whether you have budget or not – you need to be monitoring changes in Active Directory. There are awesome Active Directory audit solutions that kindly sponsor webinar here at UltimateWindowsSecurity.com. And ideally you are using one of them. But if for whatever reason you can't; you still have AD and it still needs to be monitored. This webinar will help you do just that.

My team is in the finishing stages of developing a Splunk application that we are releasing at this webinar. Not only is this application free, but with the help of our also to be announced free edition of Supercharger for Windows Event Collection, we will demonstrate the power of WEC's Xpath filtering to deliver just the relevant events to Splunk Free and stay within the 500Gb daily limit of Splunk Free's license. It's a trifecta of free tools that produces this:

Among other abilities, our new Splunk App puts our deep knowledge of the Windows Security Log to work by analyzing events to provide an easy to use but powerful dashboard of changes in Active Directory. You can see what's been changing in AD sliced up

• by object type (users, groups, GPOs, etc)
• by domain
• by time
• by administrator

Too many times I see dashboards that showcase the biggest and highest frequency actors and subjects but get real – most of the time what you are looking for is the needle – not the haystack. So we show the smallest, least frequent actors and objects too.

Just because it's free doesn't mean it's low value. We put some real work into this. I always learn something new about our own little AD lab environment when I bring this app up. To make this app work we had to make some improvements to how Splunk parses Windows Security Events. The problem with stuff built by non-specialists is that it suffices for filling in a bullet point like “native parsing of Windows Security Logs” but doesn't come through when you get serious about analysis. Case-in-point: Splunk treats these 2 very different fields in the below event as one:

As you can see rsmith created the new user cmartin. But checkout what Splunk does with that event:

Whoah! So there's no difference between the actor and the target of a critical event like a new account being created? One Splunker tells me they have dealt with this issue by ordinal position but I’m frightened that actor and target could switch positions. Anyway, it's ugly. Here's what the same vent looks like once you install our Splunk App:

That's what I'm talking about! Hey, executives may say that's just the weeds but you and I know that with security the devil is in the details. (I feel like I should point out that my valued sponsors like LogRhythm, Quest, SolarWinds, EventTracker, Exabeam don't make this mistake.)

Now, you knowledgeable Splunkers out there are probably wondering if we get these events by defining them at index time. And the answer is “no”. I provided the Windows Security Log brains but we got a real Splunker to build the app and you'll be happy to know that Imre defined these new fields as search time fields. So this works on old events already indexed and more importantly doesn't impact indexing. We tried to do this right.

Plus, we made sure this app works whether you consume events directly from the Security log on each computer or via Windows Event Collection (which is what we recommend with the help of Supercharger).

For those of you new to Splunk, we'll quickly show you how to install Splunk Free and our Splunk App. Then we'll show you how in 5 minutes our free edition of Supercharger for Windows Event Collection can have your domain controllers efficiently forwarding just the relative trickle of relevant change events to Splunk. Then we'll start rendering some beautiful dashboards and drilling down into those events. I'll briefly show you how this same Splunk app can also analyze SharePoint, SQL Server and Exchange security activity produced by our LOGbinder product and mix all of that activity with AD changes and plot it on a single pane of glass.

Please join us. You will learn a lot about, Active Directory change auditing, Splunk, Windows Event Collection and more. And you'll be the first to get access to these new and free tools.

Know immediately when an action of interest occurs. CPTRAX can send you and your staff an email when certain Active Directory activities occur, while quietly auditing everything else.

Quickly Detect and Automatically Stop Threats

Detect threats with Pattern alerts which can be configured to alert you when interesting actions occur repeatedly on your Windows servers such as mass file deletions or ransomware behavior. Optionally call a PowerShell script to immediately stop the action from happening. Learn More

Computer accounts Polices for disabling and moving computer account, and changing permission to accounts.

Configurations Policies for creating and deleting GPOs.

Contacts Policies for creating, deleting, moving, and changing permission to contact.

Groups Policies for modifying DNS configurations, and monitoring node and zone.

User accounts Policies for creating distribution group, changing membership, creating security group, and so on.

Organization units Policies for creating, deleting, moving, and changing permission on organization unit.

Schema Policy templates and view policy templates.

Trusts Policies for creating, deleting, and modifying trust.

For more information about creating policies, see Creating Change Guardian Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.

NOTE:When you assign the Active Directory schema policies which are created for Attribute and Class schema monitoring together to the monitor assets, the AD schema events are not generated successfully.

Does Active Directory have an audit trail?

How to track and audit Active Directory group membership changes?

What to audit in Active Directory?