I want to know that, how can LEM provide details about the given points below:
Microsoft Windows Active Directory Server
Unusual Login Activity (from different locations/country)
Unauthorized Password Resets
Unusual Password Reset Attempts
Access to NON-AUTHORIZED devices
Brute Force Login Attempts using the same username (password dictionary)
Brute Force Login Attempts from the same source IP
Multiple accounts login from single host
Privileged Account Usage
Successful logins from untrusted locations
User logged in from source IP local within LAN
Suspicious Admin Activity such as privileged access and remote execution
High number of login failure for the same account within a short period of time
High number of login failure for the different account within a short period of time
Identify when admin user clears the audit logs from the windows server
Failed Logins with disabled accounts
Failed logins with admin IDs
Logon Failure - A logon attempt was made by a user who is not allowed to log on to this computer
Logon Failure - A logon attempt was made using an expired account
Windows Security Log is full
Detection of system time changes
User added and removed within a short period of time
Detection of users being added or removed from the admin group
Multiple Failed Login attempts (more than 3) for the same user ID followed by a successful login
Detection of adding user account to a privilege group
Detection of any logon event as built-in administrator
Detection of audit policy changes
Detection of domain policy changes
Detection of high privileges user granted
Detection of logon
User account enabled
Local user created
A new service installed
Modification to a Group Policy Object
Permissions Change to an Organizational Unit
Group policy object links changed on an organizational unit, or Enforced enabled or disabled
Organizational Unit deleted
Group Policy Object deleted
Detection of adding an object to a security group (e.g. domain controller)