Advanced Threat Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-281647%22%20slang%3D%22en-US%22%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281647%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20for%20a%20solution%20that%20will%20notify%20management%20whenever%20a%20domain%20admin%20performs%20a%20task.%26nbsp%3B%20I%20am%20not%20looking%20for%20when%20an%20DA%20logs%20on%2Foff%20but%20actually%20performs%20an%20elevated%20task.%26nbsp%3B%20For%20example%3A%20Running%20ADUC%20from%20their%20desktop%20to%20edit%20a%20user%2C%20disable%20an%20account%2C%20create%20a%20security%20group%20and%20other%20such%20daily%20tasks.%26nbsp%3B%20Auditing%20is%20enabled%20but%20it%20appears%20that%20unless%20the%20DA%20is%20actually%20doing%20the%20tasks%20on%20a%20DC%20the%20event%20goes%20without%20creating%20an%20event%20log%20entry.%26nbsp%3B%20%26nbsp%3B%20Is%20ATA%20a%20viable%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-281647%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-289681%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289681%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20would%20need%20a%20SEIM%20tool%20or%20look%20at%20WEFFLES%20by%20Jessica%20Payne.%20Running%20ADUC%20from%20a%20workstation%20won't%20be%20captured%20on%20a%20DC%20but%20the%20actions%20(edit%2C%20disable%2C%20create)%20should%20be%20if%20your%20auditing%20is%20done%20right.%20Don't%20forget%20as%20well%20as%20setting%20the%20audit%20policy%20GPO%2C%20you%20have%20to%20configure%20the%20auditing%20in%20the%20SACL%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287947%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287947%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20could%20set%20up%20the%20elevated%20accounts%20up%20as%20honey%20tokens%20in%20ATA%20and%20you%20will%20get%20logs%2Falerts%20every%20time%20the%20user%20authenticates%20using%20that%20account.%20Even%20that%20is%20not%20really%20what%20your%20asking%20for%20so%20I%20would%20say%20ATA%20is%20not%20the%20solution%20for%20your%20particular%20use%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Marshall Briggs
Occasional Visitor

I am looking for a solution that will notify management whenever a domain admin performs a task.  I am not looking for when an DA logs on/off but actually performs an elevated task.  For example: Running ADUC from their desktop to edit a user, disable an account, create a security group and other such daily tasks.  Auditing is enabled but it appears that unless the DA is actually doing the tasks on a DC the event goes without creating an event log entry.    Is ATA a viable solution?

2 Replies

You could set up the elevated accounts up as honey tokens in ATA and you will get logs/alerts every time the user authenticates using that account. Even that is not really what your asking for so I would say ATA is not the solution for your particular use case.

Highlighted

You would need a SEIM tool or look at WEFFLES by Jessica Payne. Running ADUC from a workstation won't be captured on a DC but the actions (edit, disable, create) should be if your auditing is done right. Don't forget as well as setting the audit policy GPO, you have to configure the auditing in the SACL

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies