Indicators of Attack and the Active Directory

Required license: Indicators of Attack

Tenable.ad's indicators of attack provide a reactive approach to detect an attack in real time. Tenable.ad leverages three sources of information to detect security incidents:

  • Your Active Directory database

  • The SYSVOL shared folder

  • The Event Tracing for Windows (ETW) engine

Tenable.ad collects the insertion strings associated with the event IDs and processes them to determine whether or not the events represent an attack.

For information, see Install Indicators of Attack.

Indicators of Attack

Note: The documentation for Tenable.ad Indicators of Attack has moved to the Tenable downloads portal. For a complete list of Tenable.ad Indicators of Attack and their implementation, see the Tenable.ad Indicators of Attack Reference Guide in the Tenable downloads portal.