Read as
Last updated: April 29, 2026
Event IDs, Sigma rules, Defender for Identity, Sentinel KQL queries. From generic SIEM to mature AD detection.
Every attack in this track leaves footprints in AD logs, Sysmon events, EDR telemetry, and domain controller security logs. Most go undetected because organizations either don’t collect the right logs, don’t write detection rules for AD-specific TTPs, or don’t have the process to respond to alerts in time. This closing module covers what AD detection looks like when done right.
Why AD detection is hard
- Volume. DCs generate thousands of events per second in busy environments. Signal to noise is brutal without tuning.
- Normal admin = suspicious attacker. DCSync is used legitimately by replication (normal) and by attackers (suspicious). Distinguishing requires context (source, time, frequency).
- Default log coverage insufficient. Windows default Security logs capture much but miss things like PowerShell script content, ACL changes without auditing explicitly enabled.
- Cross-source correlation required. “Unusual Kerberos ticket” is partial; combined with “unusual process on endpoint” it’s high-confidence.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants