Indicators of Attack and the Active Directory
Tenable.ad's indicators of attack provide a reactive approach to detect an attack in real time. Tenable.ad leverages three sources of information to detect security incidents:
Your Active Directory database
The SYSVOL shared folder
The Event Tracing for Windows (ETW) engine
Tenable.ad collects the insertion strings associated with the event IDs and processes them to determine whether or not the events represent an attack.
For information, see Install Indicators of Attack.
Indicators of Attack
Note: The documentation for Tenable.ad Indicators of Attack has moved to the Tenable downloads portal. For a complete list of Tenable.ad Indicators of Attack and their implementation, see the Tenable.ad Indicators of Attack Reference Guide in the Tenable downloads portal.