MicrosoftWhat are some of the best practices for security monitoring tier0 environment? Or should they be monitored the same way as any other group of assets using EDR, SIEM, Change compliance etc?
MicrosoftHello vaasudevk05 the classical answer on this question is: it depends
Of course you should monitor Tier 0 identities in your regular SIEM, but should also implement an unusual behavior detection. We recommend Defender for Identities, Defender for Cloud and Azure Sentinel.
Looking for the Modern Tier 0 isolation you should enable the Microsoft/Windows/Authentication/AuthenticationPolicyFailure-DomainController log on every DC.
You should take care on the following events, documented in https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos#BKMK_ErrorandEvents
It depends on how the security monitoring system is working and where (in the tiering model) it is placed.
As an example: a SIEM that is using agents (fetching the events) running with either a dedicated account or local system on T0 computers MUST as well be located and operated as Tier0.
Another SIEM that will get the events using eventlog forwarding (by eventlog subscriptions) from T0 computers does not necessarily be a T0 asset.
The difference in the above is that we always assume: No software is bug free! In case of operating agents on T0 computers there might be a change for someone getting control over the SIEM and is able to manipulate the agents to do malicious things. While in the second example, the OS is shipping eventlogs to another system and the SIEM in that case has no possibility to manipulate the event sender.
I hope that explains the strategy.
