Monitor and Protect Active Directory

Uncover critical misconfigurations, monitor & alert on changes to security groups, GPOs, OUs, and other AD objects.

Request A Demo

Active Directory auditing and threat detection

Varonis shows you exactly what’s going on within your Active Directory and alerts on abnormal activity. Get a fully searchable audit trail of Active Directory changes and logons to mitigate privilege abuse and escalation attacks.

Group Policy monitoring

Alert on changes to Group Policy settings by unauthorized users outside of change control windows with full details and before and after values.

Active Directory risk assessment

Track the health of your Active Directory with a library of built-in reports and a customizable dashboards that highlight risk indicators like empty security groups, users with passwords that don’t expire, and more.

Logon auditing

See a full record of both failed and successful logon attempts for any user. Detect when a user deviates from their normal logon behavior, is exhibiting brute force, or is logging on from strange locations or devices.


Close Active Directory Security Loopholes

Active Directory can be complex and complexity breeds mistakes. Artifacts and misconfigurations not only create vulnerabilities, but can also greatly impact performance. Varonis helps you clean-up things like:

  • Disabled users and groups
  • Groups with disabled users
  • Looped-nested groups
  • Individual users on ACEs
  • Empty security groups
  • Orphaned SIDs
Guide: Tracking Active Directory KPIS

Prevent Data Breaches with Behavior-Driven Threat Models

Alert on critical activity with who, what, when, where details—before and after states, data sensitivity, IP address, and more. Risk assessment insights give SOC analysts rich context with every alert, including deviations from historical baselines, peer analysis, watch list membership, devices used, geolocation, and more.

With hundreds of built-in threat models, DatAlert detects everything from golden ticket attacks, to abnormal lockout behavior, to DNS poisoning. Take automatic action to disable a compromised account, kill active sessions, and send alerts to your SIEM for further analysis and correlation.

Potential ticket harvesting attack
Potential Pass-the-Ticket attack
Deletion: Multiple directory service objects
Potential identity theft based on downgraded encryption
Abnormal Behavior: Unusual amounts of lockouts across service accounts
Multiple lock-outs
Potential privilege escalation was detected via vulnerability in Kerberos
Deletion: Active Directory containers, Foreign Security Principal, or GPO
Modification: Critical GPOs
Administrative or Service Account Disabled or Deleted
Membership changes: admin groups
Administrative or Service Account Reset
Executive account locked-out/disabled/deleted/password reset
Permission changes on OU
Modification: GPO Security Settings
Modification: Critical Organizational Units
Abnormal service behavior: unusual amount of devices accessed
An RDP connection was made via VPN to an atypical device

Get the Active Directory visibility and control needed for compliance

Display, filter, and analyze large, complex hierarchical structures and extend those capabilities to Active Directory domains and forests. Varonis gives auditors a full visual representation of your directory, shows you who can access key objects, and tracks and analyzes all activity.

Help auditors and IT admins answer critical questions like:

  • Who added Molly to Domain Admins?
  • When did Dan gain access to a particular resource?
  • What did Dan do with that access?
  • Have any changes occurred outside our change control window?
  • Who modified this group policy? What was the value before the change?
  • What Active Directory resources can Helen modify?

“DatAdvantage has enabled us to remove the risks associated with data permission changes within our IT environment. As an organization, we can prove to our regulators that our IT controls are stringent and that we are providing effective protection around our data.”

Colin Lennox, Technical Services Manager, Baillie Gifford


4 Tips to Secure Active Directory

4 Tips to Secure Active Directory

We gathered the best tips & tricks from battle-hardened Active Directory admins and distilled them into a concise 4-step approach.

Read Now
Active Directory compliance reporting

Out-of-the-box security audit reports mapped to specific regulatory standards, including GDPR, PCI-DSS, HIPAA, SOX, GLBA, FISMA/NIST, and more.

Visualize your entire directory

Display, filter, and analyze large, complex hierarchical structures and extends those capabilities to Active Directory domains and forests.

LDAP support

Monitor and protect LDAP-compatible directory services, not just Active Directory.

Eliminate risky and stale objects

Stale accounts and groups can not only cause clutter, but cost you money in licensing fees and open you up to attacks. Varonis makes finding and fixing common AD issues a breeze.


FAQFrequently Asked Questions

  • How do you monitor Active Directory?

    We gather the Security Event Logs directory from your Domain Controllers and correlate all of the DCs into a single Varonis Log. Once we have the data in the log we can analyze all of the AD logging along with the file event, email, etc., data we collect to detect incoming cyberattacks.

  • Do you need an Agent on the Domain Controllers?

    You don’t need an Agent to get the Security Event Log data! However, we can monitor changes to GPOs if we have the Varonis Agent installed on the DCs. The Varonis Agent is super lightweight and might use 1% of memory and processor on the DC - which is a fair trade to catch unsanctioned changes to your GPOs.

  • What kinds of cyberattacks does DatAdvantage for Active Directory detect?

    Varonis has many threat models to detect brute force attacks, privilege escalation, encryption downgrade attacks, and pass-the-ticket attacks.

    DatAlert also tracks user behavior patterns and compares historical data baselines to current activity. Any abnormal behavior that matches a threat model triggers an alert. For example, we can alert you if a service account has a logon event in AD from an abnormal geo and has started to modify AD objects or access user data.

    Monitoring data and access to data with the details from Active Directory provides incredible context to your security analytics.

  • What other kinds of data about Active Directory can I see?

    In the Dashboard, you will see the number of stale accounts, numbers of users with expired passwords, inactive users, and more.

    DatAdvantage gathers many statistics that will help you find and eliminate risks and track your progress to a zero-trust system.

Interested in seeing Varonis in action?

Request a demo or contact sales at 877-292-8767