Monitoring Users loggin on and off from Active Directory.

[Kyriakos Stavridis]

Hello everyone.

I am trying to use OSSEC to monitor the logons and logoffs by employees on our Active Directory server.

The problem is that there is too much noise generated by the AD and I cannot find a way to isolate the events I need monitored to get the correct results.

The AD server generates about 5-6 events everytime a user logs on or logs off (logon Event ID 4624, logoff Event ID 4634).

The desirable result is to have alerts like : "User 'X' performed a logon" / "User 'X' performed a logoff".

OSSEC by default has windows logon and logoff rules (4624, 4634) but they trigger at each event with these IDs and you cannot have a specific result, too much noise is generated.

Has anyone implemented successfully the monitoring of user logons/logoffs to the AD server with OSSEC? How can I isolate the noise and get the desirable results?

Thanks in advance!

[Grant Leonard]

You are going to need to grab logs from the desktop as well, as those have the "unlock" and "lock"  instances, many times users remain logged in and you get tons of background authentication noise.

You can also marry that with Kerberos ticket requests, but that is a whole next level of noise.

One way to reduce the noise would be ignoring machine accounts (accounts ending in $), focusing on the specific user. Much of the noise is attributed to Audit Policies at the domain level as well, so getting that correctly tuned is key.

My best results came from Audit Policies and matching specific desktop events with Domain logon/logoff , as you can then filter out the connection to shared drives and such

All the best

Grant