What’s Happening Right Now in My Active Directory?
We recently integrated two dashboards into NetEye SIEM to check what is happening within Active Directory, a component that is present in the vast majority of our customer environments.
These two dashboards start from the collection of security events that are gathered across the various Windows servers that make up the infrastructure, and are then directed to NetEye SIEM.
Among these servers there are obviously also the domain controllers that track the changes that are made to the users and groups that make up an Active Directory.
This information is very important for security as it allows us at any time to check what risks and threats may be ongoing in our Active Directory.
There are many attacks that start by leveraging the elevation of a user to administrator level and then placing that user in the administrators group, or by creating a new administrative user for malicious purposes, or even by resetting a user’s password to take possession of their account. With this new dashboard we can have everything under control. Here’s a preview:
As you can see, we collect information related to the following security KPIs
Users Created
Users Enabled
Users Deleted
Disabled Users
Users Unlocks
Password Changes / Reset
Users Locked Out
Users Renamed
Users Changes
If you’d like to have this dashboard, just ask us – the only prerequisite is that you have the Windows events already collected from your windows server.
The same goes for this second dashboard that keeps everything related to groups under control, which is also very useful for the same reasons as the dashboard above.
As you can see, we collect information related to the following security KPIs
Groups Created
Groups Changed
Groups Deleted
Users Added to Group
Users Removed from Group
Group Membership Enumeration
Some of our customers are already using this dashboard – we hope it will be useful not just to them and our other customers, but to everyone.
Franco Federico
Hi, I’m Franco and I was born in Monza. For 20 years I worked for IBM in various roles. I started as a customer service representative (help desk operator), then I was promoted to Windows expert. In 2004 I changed again and was promoted to consultant, business analyst, then Java developer, and finally technical support and system integrator for Enterprise Content Management (FileNet). Several years ago I became fascinated by the Open Source world, the GNU\Linux operating system, and security in general. So for 4 years during my free time I studied security systems and computer networks in order to extend my knowledge. I came across several open source technologies including the Elastic stack (formerly ELK), and started to explore them and other similar ones like Grafana, Greylog, Snort, Grok, etc. I like to script in Python, too. Then I started to work in Würth Phoenix like consultant. Two years ago I moved with my family in Berlin to work for a startup in fintech(Nuri), but the startup went bankrupt due to insolvency. No problem, Berlin offered many other opportunities and I started working for Helios IT Service as an infrastructure monitoring expert with Icinga and Elastic, but after another year I preferred to return to Italy for various reasons that we can go into in person 🙂 In my free time I continue to dedicate myself to my family(especially my daughter) and I like walking, reading, dancing and making pizza for friends and relatives.
Author
Franco Federico
Hi, I’m Franco and I was born in Monza. For 20 years I worked for IBM in various roles. I started as a customer service representative (help desk operator), then I was promoted to Windows expert. In 2004 I changed again and was promoted to consultant, business analyst, then Java developer, and finally technical support and system integrator for Enterprise Content Management (FileNet). Several years ago I became fascinated by the Open Source world, the GNU\Linux operating system, and security in general. So for 4 years during my free time I studied security systems and computer networks in order to extend my knowledge. I came across several open source technologies including the Elastic stack (formerly ELK), and started to explore them and other similar ones like Grafana, Greylog, Snort, Grok, etc. I like to script in Python, too. Then I started to work in Würth Phoenix like consultant. Two years ago I moved with my family in Berlin to work for a startup in fintech(Nuri), but the startup went bankrupt due to insolvency. No problem, Berlin offered many other opportunities and I started working for Helios IT Service as an infrastructure monitoring expert with Icinga and Elastic, but after another year I preferred to return to Italy for various reasons that we can go into in person :) In my free time I continue to dedicate myself to my family(especially my daughter) and I like walking, reading, dancing and making pizza for friends and relatives.
Why Dashboards Are Important In the modern IT world, simply collecting data isn't enough: Real value comes when data can be quickly interpreted and transformed into useful information. Dashboards represent the final step of a process that starts with: Data Read More
There’s a particular kind of irony in watching your observability stack become the thing you most need to observe. That’s more or less our day job, and it’s why we tend to be unusually deliberate about tooling decisions: The small Read More
1. Introduction The abuse of vulnerable drivers has become an increasingly common technique adopted by attackers to bypass modern security controls. This attack pattern, commonly referred to as Bring Your Own Vulnerable Driver (BYOVD), consists of loading legitimately signed but Read More
Today, most digital identity systems are built around a Central Identity Provider. That provider signs users in, stores key identity data, and often sits in the middle of every trust relationship between people, applications, and organizations. This model works, but Read More
Rarely has a title been more fitting: Transform metrics into alerts. It's not just a description of what the system does – it's also the exact name of the Elastic tool that makes it possible. Transforms, in their technical meaning, Read More