How to Monitor Active Directory With Wazuh

Active Directory (AD) is the central identity and authentication system in most Windows-based enterprise environments.

It controls user identities, group policies, authentication flows, and access to critical resources across domains.

Because of this central role, AD is one of the most targeted components in modern enterprise attack chains.

Monitoring Active Directory is critical because compromise of AD often equates to full domain compromise.

Attackers who gain access to domain controllers or privileged accounts can manipulate identities, escalate privileges, and move laterally across the environment with minimal resistance.

Wazuh enhances Active Directory visibility by collecting, normalizing, and correlating Windows security logs from domain controllers and endpoints.

It provides real-time detection of suspicious authentication patterns, privilege changes, and policy modifications, turning raw Windows event logs into actionable security intelligence.

Benefits of using Wazuh for Active Directory monitoring include centralized visibility across domain controllers, real-time alerting on authentication anomalies, detection of privilege escalation attempts, and integration with threat intelligence sources for enriched detection context.

Additional Resources:

How to Install a Wazuh Agent on Windows Server
How to Reduce False Positives in Wazuh

Understanding Active Directory Monitoring

What Should Be Monitored in Active Directory?

Effective Active Directory monitoring focuses on security-relevant telemetry that reflects authentication, authorization, and configuration changes.

User account activity should be continuously monitored, including logins, logoffs, failed authentication attempts, and unusual login times or locations.

Authentication events from domain controllers provide critical insight into credential misuse, including repeated failed logins and abnormal Kerberos ticket requests.

Privileged group membership changes must be tracked closely, especially modifications to groups such as Domain Admins, Enterprise Admins, and Schema Admins.

Account lockouts often indicate brute-force attempts or credential stuffing attacks targeting AD users.

Password changes and resets are important indicators of both legitimate administrative actions and potential attacker-driven persistence mechanisms.

Group Policy modifications are high-risk events, as attackers can use GPOs to deploy malware, change security settings, or establish persistence across domain-joined systems.

Service account activity should also be monitored, particularly for accounts with elevated privileges or non-interactive login behavior.

Domain controller events represent the most sensitive layer of AD telemetry and should be continuously collected and analyzed.

Key Security Risks in Active Directory

Active Directory environments face a consistent set of high-impact attack techniques that are widely used in real-world breaches.

Compromised administrator accounts represent the most critical risk, as they allow attackers to fully control domain infrastructure.

Kerberoasting attacks target service account Kerberos tickets to extract hashed credentials for offline cracking.

Pass-the-Hash attacks allow adversaries to authenticate using stolen NTLM hashes without needing plaintext passwords.

Golden Ticket attacks involve forging Kerberos Ticket Granting Tickets (TGTs) to maintain persistent domain-level access.

Insider threats can bypass perimeter defenses entirely by abusing legitimate access.

Unauthorized privilege escalation often results from misconfigured group memberships or vulnerable delegation settings.

These risks align with documented enterprise identity attack patterns outlined in NIST security control guidance for continuous monitoring and identity assurance.

Wazuh Components Used for Active Directory Monitoring

Wazuh Agent

The Wazuh Agent runs on Windows servers and endpoints, including domain controllers, where it collects security-relevant logs from the Windows Event Log system.

It is responsible for collecting authentication events, account management events, and system-level security logs.

These logs are then securely forwarded to the Wazuh Manager for processing.

Event forwarding ensures that AD-related telemetry is centralized, allowing correlation across multiple domain controllers and endpoints.

Additional Resources:

How to Upgrade a Wazuh Agent

How to Install a Wazuh Agent on Windows Server

Wazuh Manager

The Wazuh Manager acts as the core analysis engine for Active Directory monitoring.

It performs event analysis, applies decoding rules to Windows security logs, and correlates events across multiple sources to identify suspicious patterns.

Rule matching enables detection of AD-specific threats such as repeated authentication failures, privileged group changes, and anomalous account behavior.

The Manager also generates alerts that can be forwarded to dashboards, SIEM systems, or external incident response workflows.

Wazuh Indexer

The Wazuh Indexer is responsible for storing and indexing Windows security events collected from Active Directory environments.

It enables fast querying of authentication logs, privilege changes, and historical security events across large datasets.

This indexing layer is critical for forensic investigations, as it allows security teams to reconstruct attack timelines across domain controllers.

Wazuh Dashboard

The Wazuh Dashboard provides visualization and operational monitoring for Active Directory security events.

Security teams can use it to track authentication trends, visualize account lockouts, monitor privileged account activity, and investigate alerts in real time.

Dashboards can be customized to focus specifically on domain controller activity, making it easier to detect anomalies in high-volume AD environments.

Additional Resources:

How to Configure Wazuh Log Retention
How to Fix Wazuh Certificate Errors

Wazuh Components Used for Active Directory Monitoring

Wazuh Agent

The Wazuh Agent is deployed directly on Windows servers and domain controllers to collect security telemetry at the source.

In Active Directory environments, it focuses primarily on Windows Event Logs, which contain critical authentication and authorization data.

Collecting Windows Security Logs

On a domain controller, the agent collects events from the Security Event Log, including logon attempts, account management changes, and Kerberos authentication activity.

These logs form the foundation for detecting AD-based attacks such as brute force attempts or privilege escalation.

Event Forwarding

Once collected, logs are securely forwarded to the Wazuh Manager in near real-time.

This ensures centralized visibility across all domain controllers and reduces the risk of local log tampering impacting detection coverage.

Wazuh Manager

The Wazuh Manager is the central analysis layer responsible for processing Active Directory telemetry at scale.

Event Analysis and Correlation

Incoming Windows Event Logs are decoded and normalized into structured security events.

The Manager correlates related events across time and hosts, allowing detection of multi-step attack patterns such as repeated failed logins followed by successful privilege escalation.

Rule Matching and Alert Generation

Wazuh applies a rule-based detection engine to identify suspicious behavior.

For Active Directory, this includes detection of:

Unauthorized privilege group modifications
Suspicious authentication patterns (e.g., repeated 4625 failures)
New account creation outside expected administrative workflows
Kerberos-related anomalies

When conditions match defined rules, the Manager generates alerts that are sent to the Indexer and Dashboard for visualization and investigation.

Wazuh Indexer

The Wazuh Indexer provides storage and search capabilities for all Active Directory-related security events.

Storing Windows Security Events

All forwarded logs from domain controllers are indexed in a structured format, enabling fast querying and historical analysis.

This is essential for forensic investigations where analysts need to reconstruct attacker behavior over time.

The Indexer is particularly valuable in high-volume AD environments where millions of authentication events may be generated daily.

Wazuh Dashboard

The Wazuh Dashboard serves as the primary interface for monitoring Active Directory security activity.

Security Monitoring and Reporting

Security teams use the dashboard to visualize authentication trends, monitor privileged account activity, and investigate alerts generated by the Manager.

Common AD-focused views include:

Failed vs successful login ratios
Domain admin group modifications
Account lockout spikes
Suspicious PowerShell execution patterns

This provides SOC teams with a real-time operational view of identity security across the domain.

Prerequisites

Environment Requirements

Before deploying Active Directory monitoring with Wazuh, the environment must be properly prepared to ensure reliable log collection and correlation.

Wazuh Manager Installed

A fully operational Wazuh Manager must be deployed and reachable from the domain controller.

This component handles event processing, rule evaluation, and alert generation.

See our How to Install a Wazuh Agent on Windows Server guide.

Wazuh Dashboard Configured

The dashboard should be configured to visualize security events and alerts.

This allows security teams to validate AD event ingestion and monitor authentication activity in real time.

Domain Controller Running Windows Server

Active Directory monitoring requires at least one Windows Server-based domain controller with auditing enabled.

Supported versions typically include Windows Server 2016, 2019, and 2022.

Administrative Access to Active Directory

Administrative privileges are required to install the Wazuh Agent, configure event log access, and validate security auditing settings.

Network Requirements

Proper network configuration is essential for ensuring secure and uninterrupted communication between the Wazuh Agent and Manager.

Communication Ports

The Wazuh Agent communicates with the Manager using secure TCP channels.

The default port (commonly 1514 for event ingestion and 1515 for enrollment) must be open between the domain controller and Wazuh infrastructure.

Firewall Considerations

Firewalls on both Windows Server and network boundaries must allow bidirectional communication between agent and manager.

Restrictive firewall rules are a common cause of missing or delayed AD logs.

Agent Connectivity Validation

After installation, connectivity should be verified by confirming successful registration and active communication status between the agent and manager.

Installing the Wazuh Agent on a Domain Controller

Downloading the Wazuh Agent

Supported Windows Server Versions

The Wazuh Agent supports modern Windows Server versions commonly used for Active Directory:

Windows Server 2016
Windows Server 2019
Windows Server 2022

Ensuring compatibility is important to avoid log collection or service stability issues.

Obtaining the Installer

The latest Windows agent installer should be downloaded from the official Wazuh distribution repository or release page.

Installing the Agent

GUI Installation

The graphical installer provides a standard Windows setup wizard for installing the Wazuh Agent on a domain controller.

During installation, administrators specify the Wazuh Manager IP address and agent name.

Silent Installation with PowerShell

For enterprise deployments, silent installation via PowerShell enables automation across multiple domain controllers.

This is typically used in larger AD environments where manual installation is impractical.

Registering the Agent

Connecting to the Wazuh Manager

After installation, the agent must be registered with the Wazuh Manager.

This establishes a secure communication channel for log forwarding.

Verifying Agent Enrollment

Successful enrollment can be confirmed by checking the agent status in the Wazuh Dashboard or using agent management commands on the manager side.

Confirming Agent Connectivity

Checking Agent Status

Once registered, the agent should show an active status indicating it is successfully communicating with the manager.

Reviewing Initial Logs

Initial logs confirm that Windows Event Logs are being collected and forwarded correctly.

Any errors at this stage usually indicate permission or firewall issues.

Configuring Windows Event Log Collection

Why Windows Event Logs Matter

Windows Event Logs are the primary telemetry source for Active Directory security monitoring.

They provide detailed insight into authentication events, privilege changes, and system-level modifications.

Security Auditing

Security auditing logs capture login attempts, account changes, and policy modifications—key signals for detecting malicious activity.

Authentication Tracking

These logs provide visibility into Kerberos and NTLM authentication flows, helping detect brute force and credential-based attacks.

Change Monitoring

Event logs also track changes to user accounts, group memberships, and domain policies.

Configuring Event Channels in Wazuh

To enable full Active Directory visibility, multiple Windows event channels should be collected:

Security log
System log
Application log
Microsoft-Windows-PowerShell logs

These sources provide a comprehensive view of both user activity and administrative actions.

Example Wazuh Agent Configuration

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
</localfile>

This configuration ensures that Windows Security Event Logs are captured and forwarded to the Wazuh Manager.

Restarting the Agent

Applying Configuration Changes

After modifying the agent configuration, the Wazuh service must be restarted to apply changes and begin event forwarding.

Validating Log Collection

Validation involves confirming that events from the Security channel appear in the Wazuh Dashboard and are correctly indexed for analysis.

Configuring Windows Event Log Collection

Why Windows Event Logs Matter

Windows Event Logs are the primary telemetry source for Active Directory security monitoring.

Every authentication attempt, privilege change, and administrative action within a domain environment is recorded through these logs, making them essential for detecting both malicious activity and policy violations.

Security Auditing

Security auditing logs provide visibility into sensitive system events such as logons, account changes, and access to privileged resources.

Without these logs, it becomes nearly impossible to reconstruct attacker behavior within a compromised domain.

Authentication Tracking

Authentication logs capture both successful and failed login attempts, including Kerberos and NTLM authentication flows.

These events are critical for identifying brute-force attacks, credential stuffing, and anomalous login patterns.

Change Monitoring

Change monitoring focuses on modifications to users, groups, and policies.

This includes account creation, deletion, and Group Policy updates, all of which are commonly abused in Active Directory attacks.

Configuring Event Channels in Wazuh

To achieve comprehensive Active Directory visibility, Wazuh must be configured to collect multiple Windows Event Channels from domain controllers.

Security Log

The Security log is the most critical source, containing authentication events, account management activity, and privilege-related changes.

System Log

The System log provides insight into service-level events, system errors, and potential disruptions affecting domain controller stability.

Application Log

The Application log captures events generated by installed applications and services, including security tools and authentication-related services.

Microsoft-Windows-PowerShell Logs

PowerShell logging is essential for detecting advanced attacks, as attackers frequently use PowerShell for lateral movement, credential dumping, and persistence.

Example Wazuh Agent Configuration

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
</localfile>

This configuration enables Wazuh to collect Windows Security Event Logs from the domain controller and forward them to the Wazuh Manager for processing and correlation.

Restarting the Agent

Applying Configuration Changes

After updating the Wazuh Agent configuration, the service must be restarted to apply changes and activate new log collection settings.

Validating Log Collection

Validation should confirm that Windows Event Logs are actively being ingested into the Wazuh Manager and visible within the Wazuh Dashboard.

Any gaps typically indicate permission issues, misconfigured channels, or network connectivity problems.

Enabling Advanced Active Directory Auditing

Configuring Audit Policies

Advanced Active Directory monitoring requires enabling detailed audit policies on domain controllers to ensure all relevant security events are generated.

Audit Logon Events

Tracks authentication attempts, including both successful and failed logins.

Audit Account Logon Events

Monitors credential validation events processed by the domain controller, including Kerberos and NTLM authentication requests.

Audit Account Management

Captures changes to user and group accounts, including creation, modification, and deletion.

Audit Directory Service Access

Enables logging of access to Active Directory objects such as users, groups, and organizational units.

Audit Policy Change

Tracks modifications to audit policies themselves, which can be a critical indicator of attacker tampering.

Using Group Policy for Audit Configuration

Group Policy Management Console (GPMC)

Audit settings should be configured centrally using the Group Policy Management Console to ensure consistency across all domain controllers.

Recommended Audit Settings

A strong Active Directory monitoring configuration typically includes enabling success and failure auditing for logon events, account management, and directory service access.

Verifying Audit Policy Deployment

Using auditpol Commands

The auditpol utility can be used to verify that audit policies are correctly applied on domain controllers.

Confirming Event Generation

Once configured, administrators should validate that expected Event IDs are being generated in the Security log during authentication and account management activities.

Important Active Directory Event IDs to Monitor

Authentication Events

Event ID	Description
4624	Successful logon
4625	Failed logon
4648	Explicit credential usage
4768	Kerberos authentication request
4769	Kerberos service ticket request
4771	Kerberos pre-authentication failure

User Account Events

Event ID	Description
4720	User account created
4722	User account enabled
4725	User account disabled
4726	User account deleted
4738	User account modified

Privileged Group Changes

Event ID	Description
4728	User added to security-enabled global group
4732	User added to local group
4756	User added to universal group

Password Events

Event ID	Description
4723	Password change attempt
4724	Password reset attempt

These Event IDs form the backbone of Active Directory security monitoring and are essential for detecting privilege escalation and credential-based attacks.

Creating Active Directory Detection Rules in Wazuh

Detecting Multiple Failed Login Attempts

Brute-force Detection Logic

Brute-force detection in Active Directory typically relies on monitoring repeated failed authentication attempts within a short time window.

In Wazuh, this is implemented through rule frequency thresholds and event correlation.

Frequency-Based Alerting

When multiple Event ID 4625 failures occur from the same source or against the same account, Wazuh can trigger alerts indicating a potential brute-force attack.

Detecting New Administrative Accounts

Monitoring Domain Admins Membership Changes

Changes to privileged groups such as Domain Admins should always be treated as high-risk events. Wazuh can monitor Event IDs like 4728 to detect when a user is added to a privileged group.

High-Severity Alerts

These events are typically assigned high severity levels because they often indicate privilege escalation or insider compromise.

Detecting Account Lockouts

Lockout Monitoring Strategy

Account lockouts (commonly Event ID 4740, though environment-dependent logging applies) can indicate brute-force activity or credential spraying attempts.

Identifying Attack Patterns

Repeated lockouts across multiple accounts may signal automated password attacks targeting domain users.

Detecting Privilege Escalation Attempts

Administrative Group Modifications

Any modification to privileged groups should be treated as a potential escalation attempt unless explicitly authorized.

Suspicious Account Activity

Wazuh rules can correlate group changes with unusual login behavior to detect potential attacker activity chains.

Sample Custom Wazuh Rule

<group name="active_directory,">
  <rule id="100500" level="10">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">4728</field>
    <description>User added to privileged group</description>
  </rule>
</group>

This rule triggers a high-severity alert when a user is added to a security-enabled group, providing early detection of privilege escalation attempts within Active Directory environments.

Monitoring Group Policy Changes

Why Group Policy Monitoring Matters

Group Policy Objects (GPOs) are one of the most powerful administrative mechanisms in Active Directory.

They control password policies, software deployment, Windows security settings, PowerShell configurations, firewall rules, and many other critical security controls.

Because GPOs can affect every system in a domain, attackers frequently target them after gaining elevated privileges.

Security Baseline Protection

Many organizations use Group Policy to enforce security baselines based on recommendations from organizations such as Microsoft Security Baselines.

Monitoring GPO changes helps ensure these security controls remain intact and have not been weakened by unauthorized modifications.

Detection of Unauthorized Modifications

Unauthorized changes to Group Policy can indicate:

Privilege escalation
Insider threats
Persistence mechanisms
Malware deployment
Security control tampering

Detecting these changes quickly can significantly reduce attacker dwell time within the environment.

Key Event IDs

Several Active Directory events are particularly useful for monitoring Group Policy changes.

Event ID	Description
5136	Directory object modified
5137	Directory object created
5141	Directory object deleted

These events can provide visibility into GPO creation, modification, and deletion activities.

Building Alerts for GPO Modifications

Detecting GPO Creation

New GPO creation events should be monitored because attackers may create malicious policies designed to deploy scripts, scheduled tasks, or persistence mechanisms.

Event ID 5137 can be used to identify newly created policy objects.

Detecting GPO Deletion

Deletion of existing Group Policies may indicate an attempt to remove security controls or erase evidence of malicious changes.

Event ID 5141 is commonly associated with directory object deletion events.

Detecting Policy Updates

Modifications to existing Group Policies often generate Event ID 5136.

These changes should be reviewed carefully, especially when they affect:

Password policies
Windows Defender settings
Firewall configurations
PowerShell logging
User rights assignments

Wazuh alerts can be configured to notify administrators whenever these modifications occur.

Detecting Suspicious Active Directory Activity

Brute Force Attacks

Brute-force attacks remain one of the most common threats against Active Directory environments.

Multiple Event ID 4625 Alerts

A high volume of Event ID 4625 (failed logon) events against a single account or from a single source often indicates a password guessing attack.

Wazuh can generate alerts when failed authentication attempts exceed predefined thresholds.

Source IP Analysis

Analyzing source IP addresses helps determine whether failures originate from:

Internal hosts
VPN connections
Remote access systems
Potentially compromised endpoints

Correlating failures with source IP activity improves detection accuracy and reduces false positives.

Password Spraying

Password spraying differs from traditional brute-force attacks because attackers attempt a small number of common passwords across many accounts.

Identifying Distributed Login Failures

Instead of targeting a single account repeatedly, password spraying generates low-frequency failures across multiple users.

Wazuh correlation rules can identify these distributed attack patterns by analyzing authentication failures across many accounts within a defined time window.

User Enumeration Indicators

Attackers often enumerate valid usernames before launching password spraying campaigns.

Indicators include:

Authentication failures against many accounts
Consistent source systems
Sequential targeting patterns
Logon attempts during unusual hours

Kerberoasting Attempts

Kerberoasting is a widely used Active Directory attack technique that targets service accounts with Service Principal Names (SPNs).

According to guidance from Microsoft’s Kerberos Security Documentation, monitoring Kerberos activity is an important component of identity security.

Monitoring Unusual Ticket Requests

Attackers performing Kerberoasting often request large numbers of service tickets in a short period of time.

These requests can appear abnormal when compared to baseline service account behavior.

Event ID 4769 Analysis

Event ID 4769 records Kerberos service ticket requests.

Indicators of potential Kerberoasting include:

High ticket request volumes
Requests targeting multiple service accounts
Requests originating from unusual hosts
Activity outside normal business hours

Wazuh rules can identify these anomalies and generate alerts for investigation.

Lateral Movement

After obtaining valid credentials, attackers frequently move between systems to expand access and locate high-value targets.

Monitoring Logons Across Multiple Systems

A user account authenticating to multiple systems in rapid succession may indicate lateral movement activity.

Relevant events include:

Event ID 4624
Event ID 4648
Event ID 4768
Event ID 4769

Correlation Techniques

Wazuh correlation capabilities can help identify:

Simultaneous logons from different hosts
Unusual workstation access patterns
Administrative account misuse
Credential reuse across systems

These indicators often reveal attacker progression through the environment.

Insider Threat Indicators

Not all Active Directory threats originate from external attackers. Insider misuse remains a significant security concern.

The 2024 Data Breach Investigations Report from Verizon DBIR continues to show that misuse of legitimate credentials plays a major role in many security incidents.

Unusual Administrative Actions

Potential insider threat indicators include:

Unexpected account creation
Unauthorized privilege assignments
Policy modifications
Security audit configuration changes

Off-Hours Account Changes

Administrative activity occurring outside normal maintenance windows may warrant investigation, particularly when combined with other suspicious indicators.

Wazuh can generate alerts based on time-of-day conditions and privileged account activity.

Creating Active Directory Dashboards in Wazuh

Authentication Monitoring Dashboard

Authentication dashboards provide visibility into user login activity across the Active Directory environment.

Successful Logins

Tracking successful authentication events helps establish normal behavior baselines and identify unusual access patterns.

Useful metrics include:

Daily logins
Unique users
Login sources
Authentication methods

Failed Login Trends

Failed login visualizations help identify:

Brute-force attacks
Password spraying campaigns
Misconfigured applications
Expired credentials

Trend analysis often reveals attacks before they become successful.

Lockout Statistics

Account lockout dashboards should display:

Lockout frequency
Affected users
Source systems
Geographic patterns (if available)

These metrics assist incident response teams during authentication-related investigations.

User Management Dashboard

User lifecycle monitoring helps track changes within Active Directory.

New Users

New account creation events provide visibility into onboarding activity and help identify unauthorized account creation.

Relevant events include:

Event ID 4720
Event ID 4722

Disabled Users

Monitoring account disablement helps identify administrative actions and potential containment activities during incident response.

Deleted Accounts

Deleted account tracking supports auditing and forensic investigations by documenting identity lifecycle events.

Privileged Access Dashboard

Privileged accounts represent the highest-value targets in Active Directory environments.

Domain Admin Changes

This dashboard should track:

Domain Admin additions
Domain Admin removals
Administrative account modifications
Privileged authentication activity

Group Membership Modifications

Visualizing group membership changes helps identify unauthorized privilege assignments and potential escalation attempts.

How to Create Custom Detection Rules in Wazuh (With Examples)

Security Operations Dashboard

Security teams often benefit from a centralized dashboard focused specifically on Active Directory threat detection.

High-Severity AD Alerts

This dashboard should highlight:

Privilege escalation alerts
Kerberoasting detections
Password spraying indicators
GPO modifications
Suspicious PowerShell activity

Threat Detection Metrics

Useful metrics include:

Alerts by severity
Alerts by event category
Top targeted accounts
Most active source systems
Authentication anomaly trends

A well-designed dashboard enables analysts to quickly identify threats, prioritize investigations, and reduce response times.

Additional Resources:

How to Reduce False Positives in Wazuh
How to Monitor Kubernetes Using Wazuh
How to Integrate Wazuh with VirusTotal for Threat Intelligence

Integrating Wazuh With Active Directory Security Workflows

Active Directory monitoring becomes significantly more valuable when alerts and detections are integrated into existing security operations workflows.

Wazuh supports a variety of integrations that help security teams automate response processes and improve incident handling.

Ticketing Integrations

Ticketing platforms allow security alerts to be converted into actionable incidents that can be tracked through resolution.

Jira

Many organizations use Jira to manage security operations and incident response workflows.

Wazuh alerts related to Active Directory activity can be forwarded to Jira, automatically creating tickets for events such as:

Privilege escalation attempts
New Domain Admin assignments
Multiple failed authentication attempts
Unauthorized Group Policy modifications

This ensures security findings are documented and assigned for investigation.

ServiceNow

ServiceNow integration enables security teams to incorporate Active Directory alerts into broader IT service management and security operations processes.

Common use cases include:

Incident creation
Change management validation
Automated workflow execution
Compliance reporting

Notification Integrations

Real-time notifications help administrators respond quickly to Active Directory threats.

Email Alerts

Email remains one of the most widely used notification methods for security monitoring.

Organizations often configure email alerts for:

Critical privilege changes
Domain Admin modifications
Account lockouts
High-severity authentication anomalies

Slack Notifications

Slack integrations enable security teams to receive real-time alerts directly within dedicated SOC channels.

This improves collaboration and accelerates incident triage when suspicious Active Directory activity is detected.

Microsoft Teams Notifications

Organizations heavily invested in the Microsoft ecosystem often use Teams for security operations communication.

Teams notifications can be configured to deliver:

Security alerts
Incident updates
Escalation notifications
Automated investigation summaries

SIEM and Security Platform Integrations

Many organizations use Wazuh as part of a larger security monitoring architecture.

OpenSearch

Since Wazuh utilizes OpenSearch for indexing and searching security data, Active Directory events can be queried, visualized, and correlated with other security telemetry.

Organizations can build advanced investigations that combine:

Authentication activity
Endpoint telemetry
Network events
Threat intelligence data

External Security Tools

Wazuh can also integrate with:

Threat intelligence platforms
Endpoint detection solutions
Network monitoring tools
Vulnerability scanners
SOAR platforms

These integrations provide additional context for Active Directory investigations and improve detection accuracy.

Testing Active Directory Monitoring

After configuring Active Directory monitoring, testing is essential to verify that events are being collected, processed, and alerted on correctly.

Generate Test Events

A controlled testing process helps validate visibility across the entire monitoring pipeline.

Failed Login Attempts

Generate several failed authentication attempts using a test account.

Expected results include:

Event ID 4625 generation
Log collection by the Wazuh Agent
Alert generation if detection rules are configured

Password Resets

Perform a password reset on a test account.

Expected events include:

Event ID 4723
Event ID 4724

These events help verify account management monitoring.

User Creation Events

Create a temporary user account and verify that account creation events are collected and displayed within Wazuh.

Expected event:

Event ID 4720

Group Membership Changes

Add a test user to a privileged group and confirm that Wazuh generates the expected alert.

Expected events include:

Event ID 4728
Event ID 4732
Event ID 4756

Verify Event Collection

Confirm Logs Appear in Wazuh

Use the Wazuh Dashboard to verify that test events are visible and searchable.

Check:

Event timestamps
Event IDs
Usernames
Source systems

Validate Rule Triggering

Ensure that detection rules generate alerts when expected.

Review:

Alert severity
Rule ID
Alert descriptions
Trigger conditions

Testing should include both normal and suspicious activities to verify detection coverage.

Troubleshoot Missing Events

If expected events do not appear, several areas should be investigated.

Audit Policy Issues

The most common cause of missing Active Directory events is incomplete auditing configuration.

Verify:

Advanced auditing is enabled
Required audit categories are configured
Group Policies are applied successfully

Agent Configuration Problems

Review the Wazuh Agent configuration to ensure the correct Windows Event Channels are being collected.

Common issues include:

Incorrect event channel names
Configuration syntax errors
Missing permissions

Communication Failures

Connectivity issues between the agent and manager can prevent log delivery.

Check:

Agent status
Network connectivity
Firewall rules
TLS certificates

Best Practices for Wazuh Active Directory Monitoring

Following security monitoring best practices improves visibility while reducing false positives and operational overhead.

Enable Advanced Auditing

Capture Detailed Security Events

Basic Windows auditing often misses important attack indicators.

Enable advanced auditing to capture:

Kerberos activity
Account management events
Directory service access
Privilege usage
Policy changes

More detailed telemetry improves detection accuracy and forensic capabilities.

Monitor Privileged Groups

Privileged accounts represent the most valuable targets in Active Directory.

Domain Admins

Changes involving Domain Admins should generate immediate alerts due to the level of access granted by this group.

Enterprise Admins

Enterprise Admins possess forest-wide privileges and should be monitored continuously.

Schema Admins

Although used less frequently, Schema Admins can make significant changes to the Active Directory schema and therefore warrant close monitoring.

Microsoft security experts consistently recommend implementing enhanced monitoring for all privileged identities and administrative groups.

Microsoft Privileged Access Security Guidance

Reduce Alert Noise

A common challenge in Active Directory monitoring is alert fatigue.

Fine-Tune Detection Rules

Detection rules should be adjusted based on the organization’s environment and normal activity patterns.

Examples include:

Adjusting failed login thresholds
Excluding approved service accounts
Filtering expected administrative activity

Create Exceptions When Necessary

Not every alert represents malicious activity.

Exceptions may be appropriate for:

Scheduled administrative tasks
Automated provisioning systems
Trusted service accounts

The goal is to reduce unnecessary alerts without creating monitoring blind spots.

Regularly Review Dashboards

Detect Anomalies Early

Dashboards should be reviewed regularly to identify unusual authentication patterns, privilege changes, and policy modifications before they become major incidents.

Regular monitoring often uncovers:

Misconfigurations
Compromised accounts
Emerging attack campaigns
Insider threats

Maintain Rule Updates

Update Wazuh Rules

Wazuh detection content should be reviewed and updated regularly to ensure coverage against evolving threats.

New detection rules are frequently added to support emerging attack techniques and Windows security events.

Review New Attack Techniques

Active Directory attack methods continue to evolve, particularly around credential abuse and identity-based attacks.

Security teams should regularly review guidance from authoritative sources such as:

MITRE ATT&CK
Microsoft Security
CISA
Wazuh documentation

Common Troubleshooting Issues

Even with proper configuration, organizations may encounter challenges when deploying Active Directory monitoring with Wazuh.

Understanding common issues and their solutions can significantly reduce troubleshooting time and ensure consistent visibility into Active Directory activity.

Wazuh Agent Not Sending Logs

One of the most common problems is a Wazuh Agent that appears online but is not forwarding Windows security events to the Wazuh Manager.

Connectivity Checks

Start by verifying network communication between the domain controller and the Wazuh Manager.

Check:

DNS resolution
Network routing
Firewall rules
Open Wazuh communication ports

Tools such as ping, Test-NetConnection, and telnet can help validate connectivity.

Agent Service Validation

Confirm that the Wazuh Agent service is running correctly.

On Windows Server:

Get-Service Wazuh

The service should display a status of Running.

If the service is stopped or repeatedly restarting, review the agent logs for configuration or communication errors.

Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work

Missing Security Events

Sometimes the agent successfully communicates with the manager, but important Active Directory events never appear in Wazuh.

Audit Policy Verification

The most common cause of missing events is incomplete Windows auditing.

Verify that the following audit categories are enabled:

Audit Logon Events
Audit Account Logon Events
Audit Account Management
Audit Directory Service Access
Audit Policy Change

Without these settings, Windows may never generate the events that Wazuh expects to collect.

Event Channel Configuration

Review the Wazuh Agent configuration to ensure all required event channels are being monitored.

Typical channels include:

Security
System
Application
Microsoft-Windows-PowerShell/Operational

Even a minor configuration error can prevent events from being collected.

Excessive Alert Volume

Large Active Directory environments can generate thousands of authentication-related events every hour.

Without proper tuning, analysts may become overwhelmed by excessive alert volume.

Rule Tuning

Review frequently triggered rules and determine whether they represent legitimate security concerns or expected operational activity.

Common candidates for tuning include:

Failed login alerts
Service account authentication events
Scheduled administrative tasks
Automated provisioning systems

Threshold Adjustments

Increasing frequency thresholds can significantly reduce false positives.

For example:

Trigger an alert after 10 failed logins instead of 3
Alert only when failures occur within a short time window
Apply different thresholds to privileged accounts

A balanced approach improves signal quality while maintaining visibility into genuine threats.

Dashboard Not Displaying Events

In some cases, logs are successfully collected but do not appear within the Wazuh Dashboard.

Index Verification

Verify that events are being indexed correctly by checking:

Index health
Storage availability
Indexer service status
Data ingestion rates

Search directly within OpenSearch to confirm that Active Directory events exist in the underlying data store.

Dashboard Filtering Issues

Dashboard filters can unintentionally hide events.

Review:

Time range settings
Saved searches
Event severity filters
Custom dashboard queries

Many apparent data collection problems are actually caused by restrictive dashboard filters.

Conclusion

Active Directory remains the foundation of identity and access management for many organizations, making it one of the most valuable targets for attackers.

Monitoring Active Directory effectively is essential for detecting credential abuse, privilege escalation, unauthorized account activity, and policy tampering before these threats lead to larger security incidents.

Wazuh provides a powerful platform for Active Directory monitoring by combining Windows Event Log collection, centralized analysis, event correlation, custom detection rules, and real-time alerting.

With proper configuration, organizations can gain visibility into authentication activity, privileged group changes, Group Policy modifications, Kerberos events, and other critical security indicators.

The key security benefits of using Wazuh for Active Directory monitoring include:

Centralized visibility across domain controllers
Detection of brute-force and password spraying attacks
Monitoring of privileged account activity
Identification of suspicious Kerberos behavior
Real-time alerting for policy and account changes
Improved incident investigation and forensic capabilities

However, effective monitoring is not a one-time project.

Active Directory security requires continuous auditing, dashboard reviews, rule tuning, and detection updates to keep pace with evolving attack techniques.

As a next step, consider enhancing your deployment with custom Active Directory detection rules, threat intelligence integrations, PowerShell monitoring, and advanced correlation use cases.

These improvements can significantly strengthen your overall identity security posture while maximizing the value of your Wazuh deployment.

Additional Resources: