AD Security 101: SIEM Tools and AD Monitoring

by Daniel Petri on March 23, 2023

Before we dive into technical tips that I mentioned in my previous post, I want to raise an important point. If you’re relying solely on security information and event management (SIEM) tools for Active Directory (AD) security monitoring—especially against potential cybersecurity attacks—you might not be getting a complete picture of what’s happening on your network and systems.

What are SIEM tools?

SIEM tools gather, centralize, and analyze various network, system, application, and other logs. Many event logs produce an overwhelming amount of data. SIEM tools can be incredibly useful in achieving a unified view of logged events.

Many organizations rely on SIEM tools to track security logs for potential malicious behavior, including threats to AD. Popular SIEM tools include Splunk and Microsoft Sentinel.

Why shouldn’t you rely on SIEM tools for AD security?

One problem with relying on SIEM tools for AD monitoring is that cyberattackers have become adept at bypassing AD security logs. DCShadow is just one example of such a cyberattack. Here are other drawbacks to a SIEM-only strategy:

Data-collection limitations: SIEMs collect and analyze only data that is forwarded to them. This data set might not include everything generated by a network or system. Many applications and services do not have built-in alerting or event creation capabilities. Even those that do might not produce alerts for all types of actions or configuration changes. For example, access and changes to virtual machines (VMs) might not be logged. These limitations lead to incomplete visibility and security monitoring.
Configuration errors: SIEMs must be properly configured to effectively analyze data and provide meaningful information. We all know how lengthy and complex such a process can be. Configuration errors and misconfigurations can lead to missed or incorrect data analysis, resulting in a limited view of network activity.
Data-processing challenges: Some SIEMs cannot process all types of data, leading to gaps in security monitoring.
Incomplete threat intelligence: SIEMs often rely on threat intelligence feeds to detect known threats. However, these feeds might not always be comprehensive or up to date.
False positives: SIEMs can generate false positives. These can distract from real security issues and reduce the overall effectiveness of the SIEM.
Not security oriented: Many applications and services generate event logs that were not designed for security. Generated events can be cryptic, concealing the true nature of the trigger event.
Limited context: SIEMs typically provide a limited amount of context for security events. This lack of context can make it difficult to understand the full scope of a security issue or perform root-cause analysis.

How to extend SIEM tools’ effectiveness

To address these limitations, SIEM tools should be used as part of a larger security strategy. Combine SIEM with other security technologies such as firewalls, intrusion detection systems, and endpoint protection software. And to maintain comprehensive view of AD security, be sure to implement a dedicated AD monitoring tool. For example, Semperis Directory Services Protector (DSP) easily integrates with SIEM tools.