Download the ‘AD insights pack’ for new capabilities to audit users, svc/MSA accounts, password last set, expiring, last login AD insights. Includes AD group audit alert capability.
Quick Download https://github.com/theKevinJustin/ADInsights/
AD audit
Time to provide key ‘AD insight reports’ into users and groups. Delve into different AD audit capabilities for users and groups. The pack also gathers DC Security events (rules), and lastly, on demand tasks for reports.
The question is what determines a problem?
Every domain admin has a different experience and perspective, whether cyber (hack) focused or not. Audit standards differ, from HIPAA, SOX, CCRI, STIG, etc.
Pack examples:
Users – service account naming conventions, password change frequency, expired date/time configured.
Groups – Choose your OU structure to audit WA in DA, SA in DA, WA in SA etc.
NOTE: Take caution on the OU group audit, to limit the output, as events have a size limitation
Configure ‘AD insight reports’
Now we can configure the user pack for applicable standards, like password age, last set, or AppOwners. The AppOwners is an array, so you can add whatever Application, system owners/teams in your organization. The password datasource (DS) rule runs weekly.
Break out the regular expressions of whatever accounts each team uses, to tailor relevant data into the report alert. Find/Replace (Control-H) might be more effective, as the DS/WA repeat the logic for the on-demand task report, vs. the rule and monitor.
Update patterns ID naming conventions
Tailor account names to environment to match ingested DC Security events.
Configure OU to environment
Configure OU structure to audit based on domain canonical names, groups, DC, etc.
Save file(s) and import