> Software > Protect > Identity > Active Directory > Auditing for Active Directory

Architecture and deployment Active Directory auditing

Active Directory auditing uses an agent-based collection model combined with a cloud-hosted processing service. The architecture is designed to provide near real-time visibility into directory activity while remaining scalable and resilient.

At a high level, the solution consists of domain controller agents, optional gateway components, and a centralized audit service where data is processed and presented.

Core components and data flow

Audit data flows through the system in a straightforward sequence:

Domain controller agents (data collection)

Agents run on domain controllers and collect audit data locally.

They gather:

  • Directory changes (object and attribute updates)

  • Authentication and logon activity

  • Security-relevant events from Windows logs

Collected data is temporarily written to the local filesystem on each domain controller.

Local staging and upload

Audit data is staged locally and regularly uploaded to the control plane.

  • Data is batched into files

  • Files are uploaded either:

  • Directly to the cloud, or

  • Through a gateway when direct connectivity is not available

  • Successfully uploaded data is removed from the domain controller

This ensures reliable data collection even during temporary connectivity interruptions.

Gateway (optional)

In environments where domain controllers do not have outbound internet access, a gateway is used.

  • Acts as a relay between domain controllers and the cloud

  • Receives audit data from domain controllers

  • Forwards data securely to the control plane

Central audit service (processing and storage)

Once uploaded, audit data is processed and made available in the console.

The service:

  • Combines data from multiple domain controllers

  • Correlates activity across different sources

  • Produces unified audit events with full context

Each event answers key investigative questions:

  • Who performed the action

  • What changed

  • When it occurred

  • Where it originated

  • The values before and after the change

User interface (investigation and response)

Processed audit events are displayed in the console.

Administrators can:

  • Search and filter events

  • Investigate activity across the environment

  • Identify suspicious or high-risk changes

  • Initiate rollback for supported actions

Design characteristics

The architecture is designed to support:

  • Scalability: Handles high volumes of authentication and change data across large environments

  • Resilience: Local staging and retry mechanisms prevent data loss during outages

  • Unified visibility: Aggregates activity from all domain controllers into a single timeline

  • Flexibility: Supports environments with or without direct internet connectivity

Data retention

Retention is based on the type and value of data:

  • Change events: Retained for up to 1 year

  • Authentication and high-volume events: Retained for 30 days

Shorter retention is used for high-volume data that has short-term investigative value but less value in terms of long-term retention.

×

Loading...