 Active Directory Security Monitoring is a complex task due to the potentially vast quantity of data to be processed, and the need to understand asset relevance. Active Directory events can rarely be monitored atomically, and overlapping security, continuity and availability monitoring objectives suggest that a broader approach is more useful.
Evercom provide monitoring templates for the Active Directory security event log which group monitoring outcomes into realtime and audit centric templates that can be coded into a commercial log management product, or generated using manual techniques such as excel.
Using a simple, formal process shown above, site specific requirements can be taken into account and the resulting monitoring outcomes are grouped into areas such as Active Directory availability, privilege management and account management. Our recommendations are tailored to the individual environment, and are highly detailed right down to identifying the correct asset scope, message types (Event Log Event ID) and which fields should be part of report queries.
We also have widespread experience with security event collection in large Active Directory forests, and can advise on techniques to minimise event log volumes, network performance impact and on designing a passive (agentless) event monitoring program. |
