SIEM Detection Engineering for AD
Detection engineering transforms raw Windows event logs into actionable alerts. By writing Sigma rules, Splunk SPL queries, and Microsoft Sentinel KQL, you can detect Kerberoasting, DCSync, Golden Tickets, and more -- before attackers achieve their objectives.
A SIEM (Security Information and Event Management) collects logs from across your network and applies rules to detect suspicious activity. For Active Directory, the most important log source is the Windows Security Event Log on domain controllers. Key events include: Event ID 4769 (Kerberos service ticket request -- detects Kerberoasting when RC4 encryption is used), 4662 (directory service access -- detects DCSync when replication GUIDs are accessed by non-DC accounts), 4624 (successful logon -- detects Pass-the-Hash with LogonType 9), and 4768 (TGT request -- detects AS-REP Roasting). Detection rules are written in platform-specific languages: Sigma is an open standard that works across SIEMs, Splunk uses SPL (Search Processing Language), and Microsoft Sentinel uses KQL (Kusto Query Language). Good detection engineering also means tuning rules to reduce false positives and correlating multiple events to detect multi-step attacks.
Imagine you have a building with thousands of security cameras (Windows event logs) generating footage 24/7. Without an alarm system, nobody reviews it all. Detection engineering is like installing smart motion sensors (SIEM rules) that trigger alerts when something suspicious happens -- someone accessing the vault at 3 AM (DCSync from a non-DC), trying 50 different keycards in a row (password spraying), or using a copied master key (Golden Ticket). Each alarm rule is tuned to minimize false alarms while catching real threats.
Try It Yourself
Key Takeaways
- Sigma provides platform-agnostic detection rules that convert to Splunk SPL, KQL, and other SIEM formats.
- DCSync detection (Event ID 4662 with replication GUIDs from non-DC) is one of the highest-fidelity AD alerts.
- Password spraying detection requires correlating multiple failed logins across different accounts from the same source.
- Advanced Audit Policy must be enabled on domain controllers -- default Windows logging misses most AD attacks.
- Detection coverage should be mapped to MITRE ATT&CK to identify and prioritize gaps.
Without detection rules, your SIEM is just an expensive log storage system. Purpose-built detection rules for AD attacks are the difference between catching an attacker during initial credential access and discovering the breach months later during an incident response engagement.