Security monitoring recommendations for many audit events

A brief look at security monitoring recommendations for many audit events

This article is a brief on highly recommended security monitoring practices you should follow for effective auditing strategy.

Privileged accounts:

Accounts that require more cautionary measures like those present in a high-valued domain or accounts with high level of security clearance like database administrators, domain administrators, and built-in local administrator account

Recommended practices:

• Monitor relevant events for the “Subject\Security ID” that corresponds to the high-value account or accounts.

Anomalies or suspicious events:

Every organization has a different way to classify an event or activity on the network as suspicious. For example unusual user behaviour at odd working hours.

Recommended practices:

• To monitor for suspicious activity, use the “Subject\Security ID” and monitor when an account was logged into and what actions were performed.

Inactive accounts:

Inactive accounts include disabled accounts, guest accounts, or unused accounts.

Recommended practices:

• Use the “Subject\Security ID” to monitor security events that correspond to the accounts that should never be used.

Account allow list:

Organizations should have a list of user accounts that are the only ones allowed to perform specific actions.

Recommended practices:

• Monitor the relevant events for “Subject\Security ID” accounts that are outside the allowed list of accounts.

Accounts of different types:

Ensure that certain actions are performed only by certain account types, for example, local or domain account, vendor or employee account, machine or user account, and so on.

Recommended practices:

• Identify events that correspond to the actions you want to monitor, and for those events, review the “Subject\Security ID” to see whether the account type is as expected.

External accounts:

Monitor accounts from external or other domains, or “external” accounts that are disallowed from performing certain actions.

Recommended practices:

• Configure settings to monitor the specific events for the “Subject\Account Domain” corresponding to accounts from others domain or “external” accounts.

Restricted-use computers or devices:

Organizations should have a list of machines, or devices or computers, on which specific accounts cannot typically perform any actions.

Recommended practices:

• Monitor the target devices for actions performed by the specific “Subject\Security ID”.

Account naming conventions:

Organizations should have specific naming conventions for their account names.

Recommended practices:

• Monitor “Subject\Account Name” for names that don’t follow naming conventions.

About ADAudit Plus

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

• Authorized and unauthorized AD management changes
• User logons, logoffs, and account lockouts
• GPO changes
• Group attribute and membership changes
• OU changes
• Privileged access and permission changes among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.