icon-itdr.svg
ITDR

About the Active Directory Change Detection Dashboard

The Zscaler ITDR Active Directory (AD) Change Detection dashboard monitors and detects active changes in an AD domain, and classifies these changes as a good or bad impact. It also provides additional issue and remediation details.

The AD Change Detection dashboard monitors AD domains for the following issues:

  • Kerberoastable accounts
  • Vulnerable to AS-REP roasting
  • Accounts with passwords set to never expire
  • Accounts with password not required
  • Accounts with exposed attributes
  • Privileged account delegation
  • Unconstrained delegation
  • Constrained delegation
  • Privileged account added or removed
  • Vulnerable to DCSync attacks
  • AdminSDHolder permissions

To view the change detection data, you need to configure an AD domain for a scan and enable the change detection feature. The Change Detection dashboard uses the AD scan results to collect data. The scan runs every 15 minutes. Two scans are required to detect changes. The first scan creates the base results. If any changes are detected in the second scan, the changes are recorded and compared with the base results, and the data is categorized as Good, Bad, or Info.

The Change Detection dashboard provides the following benefits:

  • Provides near real-time visibility into new misconfigurations and security risks introduced to your AD.
  • Improves the security posture of your AD.

About the AD Change Detection Dashboard

On the Change Detection dashboard (ITDR > Dashboard > Change Detection > Default), you can do the following:

  1. Filter change detection results by an AD domain.
  2. Copy specific columns from the table.

  3. View all change detection data for the AD domain. For each change, you can view:

    • Change Date: The date and time when a change is detected in the AD domain.
    • Issue: The issues for which the change is detected (e.g., Privileged account delegation, Unconstrained Delegation, etc.).
    • Identity: The name of the AD account for which the change is detected.
    • Change: The description of active changes.
    • Impact: Indicates the following change status. You can filter the column to view a specific change:
      • Good: A good or safe change.
      • Bad: A risky change. The system administrators can review the bad impacts, view the issue details, and remediate the issues.
      • Info: A significant change to the AD account that might have a good or bad impact based on the environment. The system administrators can review the impact and take necessary actions.
    • Classification: The AD user account type (Privileged or Service). You can filter the column to view a specific user account type.
    • Type: The type of AD object (User or Computer).

    You can double-click a change to view issue and remediation details.

  4. View the change detection issue details and remediation.
  5. Add a change detection issue to the safelist.
  6. Add a change detection object to the safelist.
About the AD Change Detection dashboard

Related Articles
About the Active Directory Change Detection DashboardEnabling Change DetectionViewing Change Detection Issue and Remediation DetailsAbout the Active Directory Custom Change Detection DashboardViewing the History of Active Directory Properties Change DetailsDeleting an Active Directory Property Change Details