Active Directory Audit and Monitoring

The entire cybersecurity framework is based on three things: protect, detect, and respond. All these components are connected to one another. When we implement a system, we first need to understand what to protect and how to protect it. So far in this book, I've explained the importance of an identity infrastructure and how to protect it from emerging threats. Based on that, we can build a protected identity infrastructure, but we should understand that we cannot close all the doors. We need to expect a possible security breach at any time. But when it happens, we should have a system in place to detect and notify. This allows us to respond to the situation quickly and to minimize damage. In order to detect similar incidents, it is important to have proper systems and processes in place. This is where audit and monitoring come in. These help us to ensure the protected system we build is operating as expected and if there is any unexpected or unnatural behavior, it's recorded and reported. Incident response will be based on the outcome of the detection process.

Before I use the London Underground, I always check the Transport for London (TfL) website to see the status of the tube line services. It is a service provided by TfL to make sure its users are planning their journey properly and avoid delays. The system TfL has in place to monitor the line status gives us two benefits. As a service provider, TfL can detect the problem and start to address it immediately. At the same time, some filtered information is passed to the public that will be important to plan their journey.

Similarly, auditing and monitoring are not only for engineers to find problems. They also should provide filtered, structured information to different parties that are important for their roles and responsibilities. As an example, the IT director would like to know the overall domain service availability for the last month. But it is not important for him to know each and every event that happened in the system in the last 30 days.

In auditing and monitoring, we also need to identify what to monitor and what is to be reported. Knowing each and every thing that happens in the system is good, but at the same time, unless it has been analyzed and prioritized, it will not allow engineers to detect the issues properly. Therefore, we need systems to audit and monitor the correct stuff and present it in a useful way.

In this chapter, we will look at the following:

  • Monitoring Active Directory Domain Service-related events and logs
  • Microsoft Advanced Threat Analytics to monitor identity infrastructure threats
  • Active Directory monitoring with Microsoft Operation Management Suite (OMS)
  • Advanced auditing for Active Directory Infrastructure
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.89.85