Advanced Authentication and Authorization Monitoring in Windows Active Directory

The Professional SIEM Development series of blogs are an important member benefit of securitydatascience.org. The first of this series will cover monitoring in Windows Active Directory. Read more about the Professional SIEM Development Series to learn about the main objectives of this resource.

Your SIEM product will include built in correlation rules and reports for authentication but it may not be clear what risks are covered. Regardless of the SIEM product you use a vendor agnostic approach to developing your authentication monitoring program will ensure your program is comprehensive and meets your organization's needs. In this article we walk through developing and deploying a comprehensive security monitoring program for a Active Directory 2003 domain. The vast majority of organizations use Microsoft Active Directory (AD) as their main LDAP system for authentication. Typically this is the choice because Microsoft Windows is so prevalent for user desktops and many other applications can delegate authentication to AD. There are other LDAP systems that handle authentication and authorization and many of the concepts discussed here can be used with those systems. Although LDAP can be used for a myriad of things from authentication, authorization and entity documentation this article will focus on authentication and some aspects of authorization monitoring.

Throughout September each part of this article will be released each week including:

Part I: Process overview, information gathering and risk assessment
Part II: Event identification and even profiling
Part III: Alert selection, data enrichment and operationlization
Part IV: Performance and risk metrics

Association of Security Data Scientist

Powered by Wild Apricot. Try our all-in-one platform for easy membership management