ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Active Directory change logging / auditing

    Scheduled Pinned Locked Moved IT Discussion
    17 Posts 7 Posters 697 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • notverypunnyN
      notverypunny @IRJ
      last edited by

      @IRJ Does Wazuh have anything built-in or available for keeping tabs on AD? They seem to have an open enhancement request for it https://github.com/wazuh/wazuh/issues/3878

      IRJI 1 Reply Last reply Reply Quote 0
      • IRJI
        IRJ @notverypunny
        last edited by

        @notverypunny said in Active Directory change logging / auditing:

        @IRJ Does Wazuh have anything built-in or available for keeping tabs on AD? They seem to have an open enhancement request for it https://github.com/wazuh/wazuh/issues/3878

        You wont find any fancy dashboards for AD out of the box.

        You will need to create dashboards based off rules
        https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0220-msauth_rules.xml

        All the rules are there, but you will need to create your own correlations for those rules. If you are looking to create triggers or alerts based off those rules you can do that pretty easily with wazuh. If you would also like to have custom dashboards you can also create them to fit your needs. It's really powerful, but requires time to get it where you want it to be.

        DustinB3403D 1 Reply Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403 @IRJ
          last edited by

          @IRJ maybe a deep dive at the next MC?

          1 Reply Last reply Reply Quote 2
          • JaredBuschJ
            JaredBusch
            last edited by

            Netwrix works well. I know people that have purchased it and love it.

            notverypunnyN 1 Reply Last reply Reply Quote 2
            • ObsolesceO
              Obsolesce @notverypunny
              last edited by Obsolesce

              @notverypunny said in Active Directory change logging / auditing:

              I know that there are several discussions on here regarding if AD is needed. Please refrain from telling me to burn it all with fire as that's not an option 😉

              I've been tasked with looking at options for audit trails for changes within our AD, particularly with regards to user account modifications and was wondering what (if anything) folks on here are using and would recommend or caution against.

              In the paid / commercial corner I've seen :

              • ManageEngine ADAudit +
              • Netwrix Auditor

              In the community / open-source / roll-your-own corner:

              • Graylog
              • Wazuh ???

              For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.

              I don't see any requirements listed in your OP besides the bolded, so why isn't the built-in auditing option not a consideration? That logs/audits all AD changes, and you can forward them to somewhere else as well, which is a standard best practice.

              notverypunnyN DashrenderD 2 Replies Last reply Reply Quote 0
              • notverypunnyN
                notverypunny @Obsolesce
                last edited by

                @Obsolesce This is what got me looking at graylog, and it's still on the table, just wondering if there are other options that I'm not considering.

                1 Reply Last reply Reply Quote 0
                • notverypunnyN
                  notverypunny @JaredBusch
                  last edited by

                  @JaredBusch said in Active Directory change logging / auditing:

                  Netwrix works well. I know people that have purchased it and love it.

                  The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

                  DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @Obsolesce
                    last edited by

                    @Obsolesce said in Active Directory change logging / auditing:

                    @notverypunny said in Active Directory change logging / auditing:

                    I know that there are several discussions on here regarding if AD is needed. Please refrain from telling me to burn it all with fire as that's not an option 😉

                    I've been tasked with looking at options for audit trails for changes within our AD, particularly with regards to user account modifications and was wondering what (if anything) folks on here are using and would recommend or caution against.

                    In the paid / commercial corner I've seen :

                    • ManageEngine ADAudit +
                    • Netwrix Auditor

                    In the community / open-source / roll-your-own corner:

                    • Graylog
                    • Wazuh ???

                    For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.

                    I don't see any requirements listed in your OP besides the bolded, so why isn't the built-in auditing option not a consideration? That logs/audits all AD changes, and you can forward them to somewhere else as well, which is a standard best practice.

                    Isn't the first step to using any of the listed options to do exactly that - local logging -which forwards those logs into a centralized system, where reports are run to generate alerts?

                    ObsolesceO 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @notverypunny
                      last edited by

                      @notverypunny said in Active Directory change logging / auditing:

                      @JaredBusch said in Active Directory change logging / auditing:

                      Netwrix works well. I know people that have purchased it and love it.

                      The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

                      Sure there's a difference there - but depending on pricing per user could still make sense - after all, this is an expense that having users is bringing you - just like the expense of a computer, of an email account, of a phone, etc.

                      1 Reply Last reply Reply Quote 0
                      • ObsolesceO
                        Obsolesce @Dashrender
                        last edited by

                        @Dashrender said in Active Directory change logging / auditing:

                        @Obsolesce said in Active Directory change logging / auditing:

                        @notverypunny said in Active Directory change logging / auditing:

                        I know that there are several discussions on here regarding if AD is needed. Please refrain from telling me to burn it all with fire as that's not an option 😉

                        I've been tasked with looking at options for audit trails for changes within our AD, particularly with regards to user account modifications and was wondering what (if anything) folks on here are using and would recommend or caution against.

                        In the paid / commercial corner I've seen :

                        • ManageEngine ADAudit +
                        • Netwrix Auditor

                        In the community / open-source / roll-your-own corner:

                        • Graylog
                        • Wazuh ???

                        For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.

                        I don't see any requirements listed in your OP besides the bolded, so why isn't the built-in auditing option not a consideration? That logs/audits all AD changes, and you can forward them to somewhere else as well, which is a standard best practice.

                        Isn't the first step to using any of the listed options to do exactly that - local logging -which forwards those logs into a centralized system, where reports are run to generate alerts?

                        You don't need additional software to do any of that.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @notverypunny
                          last edited by

                          @notverypunny said in Active Directory change logging / auditing:

                          @JaredBusch said in Active Directory change logging / auditing:

                          Netwrix works well. I know people that have purchased it and love it.

                          The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

                          Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.

                          ObsolesceO 1 Reply Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce @scottalanmiller
                            last edited by

                            @scottalanmiller said in Active Directory change logging / auditing:

                            @notverypunny said in Active Directory change logging / auditing:

                            @JaredBusch said in Active Directory change logging / auditing:

                            Netwrix works well. I know people that have purchased it and love it.

                            The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

                            Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.

                            So why dig a deeper grave?

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @Obsolesce
                              last edited by

                              @Obsolesce said in Active Directory change logging / auditing:

                              @scottalanmiller said in Active Directory change logging / auditing:

                              @notverypunny said in Active Directory change logging / auditing:

                              @JaredBusch said in Active Directory change logging / auditing:

                              Netwrix works well. I know people that have purchased it and love it.

                              The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

                              Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.

                              So why dig a deeper grave?

                              Why not lay out exactly what you are talking about, what you consider the option to be?

                              ObsolesceO 1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce @Dashrender
                                last edited by Obsolesce

                                @Dashrender said in Active Directory change logging / auditing:

                                @Obsolesce said in Active Directory change logging / auditing:

                                @scottalanmiller said in Active Directory change logging / auditing:

                                @notverypunny said in Active Directory change logging / auditing:

                                @JaredBusch said in Active Directory change logging / auditing:

                                Netwrix works well. I know people that have purchased it and love it.

                                The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

                                Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.

                                So why dig a deeper grave?

                                Why not lay out exactly what you are talking about, what you consider the option to be?

                                Because I'm not an IT buyer and don't just buy the first turn-key product with a pretty web interface I find. I can see the appeal, especially for a smb with no staff, or an MSP with no time. The thing is, for those solutions, you may end up doing and maintaining more in the end anyways. Not always, but depending on the environment and how it changes over time. Yeah, maybe a turn key solution is best, I don't know the environment at all, just one requirement, which is literally no need for third party product and can be completed in an hour, without needing much if any maintenance.

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                • First post
                                  Last post