ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Looking for an optimal set of events to audit in Active Directory


Member

Posts: 17
Date: May 31, 2011
Looking for an optimal set of events to audit in Active Directory
Permalink  
 


Hi Guys, we're in the midst of reviewing our Active Directory auditing settings, and were wondering if anyone had a list that enumerated the optimal set of events to audit in our Active Directory?

As you may be familiar, the risk of auditing too much is that our event logs fill up and roll over sooner than we wish them too, and the risk of not auditing all the right events is that we sometimes tend to miss important changes.

If anyone has attempted to come up with such a list, would really if you'd be willing to share your input or provide some guidance.

Thanks much in advance.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Veteran Member

Posts: 28
Date: Jun 27, 2012
RE: Looking for an optimal set of events to audit in Active Directory
Permalink  
 


Hi Will,

I think you'll find the thread What is the optimal set of administrative tasks to audit in Active Directory? to be helpful.

Basically, you need to map out the operations involved in these tasks, and then specify auditing for those operations. 

For example, the task of "Who can change group memberships" maps to the operation "Modify member attribute on Group objects".

Once you've figured out the mappings, you can proceed to set what Active Directory should generate an audit for, via the Advanced section of the Security Tab of an object's properties in ADUC / Administrative Center.

Sincerely,

Jack



__________________

We will NEVER forget.



Member

Posts: 17
Date: Jul 20, 2012
RE: Looking for an optimal set of events to audit in Active Directory
Permalink  
 


Jack,

Thanks for your input. I'll certainly take a look at that thread.

By the way, are you aware of any documentation that can help me figure out the mappings between the administrative tasks and the underlying technical operations, like you suggested?

Thanks,

Will.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Veteran Member

Posts: 28
Date: Feb 5, 2013
RE: Looking for an optimal set of events to audit in Active Directory
Permalink  
 


Hi Will,

Have you checked out Microsoft's delegation whitepaper? I think it may have what you're looking for.

By the way, speaking of auditing, thought you might find this thread relevant. (We've been discussing the need to augment auditing along with a periodic Active Directory audit.

We recently instituted and rolled out a periodic Active Directory audit program to augment our Active Directory auditing events, and we've seen measurable improvements in our security.

Good luck to you.

-J

 



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me