Advanced Threat Analytics

Occasional Visitor

I am looking for a solution that will notify management whenever a domain admin performs a task.  I am not looking for when an DA logs on/off but actually performs an elevated task.  For example: Running ADUC from their desktop to edit a user, disable an account, create a security group and other such daily tasks.  Auditing is enabled but it appears that unless the DA is actually doing the tasks on a DC the event goes without creating an event log entry.    Is ATA a viable solution?

2 Replies

You could set up the elevated accounts up as honey tokens in ATA and you will get logs/alerts every time the user authenticates using that account. Even that is not really what your asking for so I would say ATA is not the solution for your particular use case.

You would need a SEIM tool or look at WEFFLES by Jessica Payne. Running ADUC from a workstation won't be captured on a DC but the actions (edit, disable, create) should be if your auditing is done right. Don't forget as well as setting the audit policy GPO, you have to configure the auditing in the SACL