Administrator user monitoring
When it comes to organizations with large IT ecosystems keeping track of operations and administrator activities is important to make sure there are no business-impacting changes taking place. In a Microsoft environment the task of tracking these changes and activities becomes even more difficult due to the sheer number of events that each Domain Controller logs.
Using the Elastic Stack and Winlogbeat we can collect, store and analyze relevant events from Windows machines. Winlogbeat can collect all Active Directory information from Microsoft machines or it can be configured to collect only admin specific events such as login activity, account management, policy changes or system changes.
These events are then organized in a birds-eye view of administrator activities across the entire Microsoft infrastructure. Users no longer have to access individual Domain Controllers and sift through hunderds of thousands of events to see what happend, they can see all the details in a single window. Furthermore machine learning jobs are created to track anomalous activites such as unusual logins, system changes, user privilege changes, processes created and so on.
Any event or anomaly which are of interest are of course alerted through Watcher by sending an automated message via either mail or Slack to the appropriate team.