Advanced Authentication and Authorization Monitoring in Windows Active Directory
The Professional SIEM Development series of blogs are an important member benefit of securitydatascience.org. The first of this series will cover monitoring in Windows Active Directory. Read more about the
Professional SIEM Development Series to learn about the main objectives of this resource.
Your SIEM product will include built in correlation rules and reports for authentication but it may not be clear what risks are covered. Regardless of the SIEM product you use a vendor agnostic approach to developing your authentication monitoring program will ensure your program is comprehensive and meets your organization's needs. In this article we walk through developing and deploying a comprehensive security monitoring program for a Active Directory 2003 domain. The vast majority of organizations use Microsoft Active Directory (AD) as their main LDAP system for authentication. Typically this is the choice because Microsoft Windows is so prevalent for user desktops and many other applications can delegate authentication to AD. There are other LDAP systems that handle authentication and authorization and many of the concepts discussed here can be used with those systems. Although LDAP can be used for a myriad of things from authentication, authorization and entity documentation this article will focus on authentication and some aspects of authorization monitoring.