Monitoring with LEM on the DC

My organization has LEM agents deployed on the domain controllers. I have created a logon rule for users within a certain subnet of the organization. (EX. UserLogon.SourceMachine=Source IP)

Since the agent is on the DC, I can see the Logon from the source user, but I cannot see the process to which they are accessing after its logged in the DC. How can I monitor Logons and executions on both ends for precise monitoring ex. source and destination IP's/names, and what are ideal baselines for a set up like this with agents on the DC, keeping compliance as a necessity?

Thank you,

Nickolas

Find more posts tagged with

domain controller

tcpaudit

solarwinds event

network compliance

monitoring

Accepted answers

All comments

mesverrum

To see processes you have to have agents installed on their workstations as those events only exist in the local machine logs

curtisi

As mesverrum said, you'll need agents on the client systems for process monitoring. You'll also have to make sure that your audit policy is configured to get process information. In Windows, you'll need to look at the Detailed Tracking settings in your audit policies.

2019-02-04 08_59_02-Administrator_ Command Prompt.png

Specifically, you'll need to set your "Process Creation" and "Process Termination" events at least to "Success."

nsenkevich

Thank you very much.

nsenkevich

Curtisi, after the agents are pushed and policy is set, what types of alerts and which filtering technique can I separate my workstations from my vm servers to reach PCI, HIPPA compliance?

nsenkevich

How do I set this policy above on the DC to mass push it out? curtisi

curtisi

Check this out:
Step-By-Step: Enabling Advanced Security Audit Policy via DS Access – CANITPRO