Phone Get Quote
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

SIEM Solutions from ManageEngine ADAudit Plus

Detection of Insider Attacks in Windows Environment


Of all the cyber threats, the worst that could hit an organization lies within: the insider attack. Insider attacks earn their notoriety because they are extremely difficult to detect, especially when the attacker is a trusted and privileged user. Detection is next to impossible when the adversary is an IT worker with privileged access to the systems such as Active Directory. These attackers know the organization’s security policies inside out, which offers them the leverage to circumvent the security controls and cloak their incursions as something uneventful.

The primary burden in insider attacks is to discern the harmful actions of the attacker, which could appear like normal activities that are consistent with his roles and responsibilities. Only contextual information about the situation will help in unearthing such attacks. To better understand this, consider the below scenario; When this scenario is viewed alone, it's quite likely that these three incidents might get dismissed as mundane. However, if an investigator correlates the account lockout incident with the other two related events, the attack becomes evident.

A rogue system administrator abuses his authorized privileges in Windows Active Directory to reset the password of an critical account, thereby obtaining access to the account’s entitlements and organization's confidential data.

Using the stolen identity, the admin accesses the data, which is otherwise off his limits. All this happens overnight and via remote access, which do not trigger any alert as they are permissible activities for the account.
Next day the owner of the account, who is unaware of the password reset, gets locked out when she attempts to log on. Assuming that she had forgotten her password, she seeks the help desk’s assistance for a new password.

ADAudit Plus Consolidated Audit Trail Reporting

ADAudit Plus provides a search utility, which offers a consolidation of three different audit summaries, as listed below, for any user account (including Active Directory administrator) for a chosen period. Every detail presented in the summary is a link, which, when clicked, displays an elaborate report for closer inspection. Similarly, the search also produces a consolidated audit summary for any given group or computer object with the right mix of information for better incident investigation

When you use ADAudit Plus to investigate the account lockout incident discussed above, this search juxtaposes the information such as the admin actions on the account, the account’s remote access from a strange IP, and the account lockout. This provides the necessary context that enables you to establish a relationship between the related security events and eventually expose the insider job.

Sometimes, the attackers take their time and carefully phase their operations. In this manner, even if their actions are detected, the sporadic nature of those actions tricks the observer into dismissing them either as accidental or uneventful. This also buys the attackers some time, during which the telltale signs of their infractions in Active Directory get deleted from the log files (or relegated to archives). Since ADAudit Plus maintains audit data in a local database, the investigators can tune its search utility to pull a few months’ or even a year-old audit trail for a suspected user. This provides a context-rich audit trail, which the investigators can use to understand the true import of those user actions.

Also in ADAudit Plus,

200+ ready-to-use audit reports for security, forensics & Compliance

Active Directory
Track Domain change events like User, Group, Computer, GPO, OU
Logon / Logoff
Monitor workstations logon & logoff to know every successful & failure logon
File Server
Audit Windows File Servers, Clusters, EMC, NetApp file and folder changes
Member Server
Track every Windows Server change with reports: Summary Report....
Active Directory Auditing
  • Monitor users & administrators Domain Controller logon activity
  • Audit changes to Users, Groups, Computers, OUs, GPOs, DNS, AD Schema
  • Before & after values of GPO settings & AD objects attributes
Logon / Logoff
  • Audit the users' Workstation logon & logoff times, logon duration
  • Users logon failures, logon history, Terminal Services & RADIUS logons
  • View pre-configured reports and set email alerts for critical accounts
Windows File Server
  • Audit File Servers, Windows Failover Cluster, NetApp Filers & EMC Servers
  • Monitor failed attempts & successful file create, modify, delete & file read
  • Files moved or renamed, copy-n-pasted, modifications & access permissions
Windows Member Server
  • Audit Member Servers, File Integrity monitoring, Printers & USB accesses
  • Monitor local logon, logoff, logon duration, logon failures & logon history
  • Track scheduled tasks, processes, folder audit & permission changes
ADAudit Plus is available in 4 Editions

Starts at $0

  • Never expires
  • 25 Workstations free
  • Reports can be generated from event log data collected during evaluation / license period

Starts at $0

  • All features of Professional Edition for 30 days
  • You can Audit
    5 Domain Controllers
    2 File Servers
    1 NetApp Filer (or)
    1 EMC File Server
    10 Member Servers
    100 Workstations

Starts at $595

  • 200+ pre-configured audit reports
  • Real-time Active Directory auditing
  • Monitor AD User, Group, Computer, OU, GPO changes
  • Audit Workstations logon / logoff
  • File create, modify, delete, access, permissions
  • Track system events, scheduled tasks
  • Printer & USB audit
  • Email alerts & Scheduled reports
  • Compliance specific reports
  • Data archiving

Starts at $945

  • All features of Standard Edition +
  • Group Policy Objects settings audit
  • Old & new value of all attribute changes of AD Objects
  • Active Directory permission change audit
  • Account lockout analyzer
  • DNS Server, Schema, Contacts & Configuration Auditing
  • Support for MS SQL Server database
  • ADAudit Plus has helped us meet certain SOX and PCI compliance requirements. Liking the automated monthly reports for SOX, ease of use, implementation and very cost effective solution.
    Jeffrey O'Donnell
    Director of IT,
    Uncle Bob’s Self Storage
  • We finalized on ManageEngine ADAudit Plus, primarily for our SOX Audit reports and I think the tool, with its easy to comprehend output is very cool and the highly competitive pricing helped grab our attention.
    Andreas Ederer
    Cosma International
  • We are an emergency healthcare provider. We see the software as good risk avoidance with some good risk management practices and help us meet HIPAA compliance. We chose ADAudit Plus, which works 24/7/365 like us.
    JT Mason
    Director of IT
    California Transplant Donor Network (CTDN)
  • We evaluated different software; ADAudit Plus is extremely easy to deploy and a cost-effective solution that helped us pass several industry related security audits, in-depth PEN audit test and meet HIPAA security guidelines.
    Renee Davis
    Life Management Center
  • We are a not for profit organization and had to satisfy HIPAA requirements, we chose ADAudit Plus which helped us to see what changes were made and who made them in our AD.
    Manager of Network Operations
  • ADAudit Plus was the simplest and most relevant from the several products we trialed to monitor user logon failures, account cleaning, to keep a check on malicious activities and meet PCI-DSS compliance.
    Bernie Camus
    IT Manager

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting