In this webinar we’re going to focus on detecting threats using Active Directory authentication events that domain controllers write to the Windows Security Log. I’ve covered these events from a generic/theory point of view before, but this time we’ll be looking at specific ways to analyze this voluminous but valuable data to detect high probability signs of intrusion.
As you may know, domain controls handle all authentication for domain accounts no matter where the account is being used. Most of the events are generated by Kerberos (4768-4773) since that’s the default authentication protocol in an AD environment. But AD still supports NTLM for backward compatibility and for authentication from untrusted clients which results in event IDs 4776 and 4777. We’ll review all of these events and their meanings.
Then we’ll dive into several threat detection scenarios such as:
- Probable account compromise
- Suspicious activity
- Brute force (2 types)
- Impossible travel
This will be a very technical and practical real training for free event, full of security log secrets.
I can show you these events and how to analyze them but you still need the technology to collect this data from each domain controller, make sense of it and perform the requisite baselining and correlation. Our sponsor is Quest and Matthew Vinton will briefly show you the new Threat Detection capabilities of Quest Change Auditor. This feature-rich, mature product has been a leader for a long time in the area of collecting change and other activity events from all over your network and Quest has now built proactive user behavior analytics to leverage even more from that data as you’ll see.
Please join us for this real training for free session.