> Software > Protect > Identity > Active Directory > Auditing for Active Directory

How Active Directory auditing Works

Active Directory Auditing continuously collects, processes, and correlates activity across domain controllers to produce a unified, searchable timeline of events.

Rather than relying on a single source, the system combines multiple data signals to build a complete picture of activity.

Data collection

Auditing collects activity from domain controllers using three complementary data sources:

  • Directory changes: Captured using directory replication APIs (for example, DirSync and replication metadata), providing authoritative information about what changed and the resulting values.

  • Security event logs: Provide user and system context, including who performed an action and where it originated.

  • Snapshot data: A baseline of directory state captured during onboarding, used to determine previous values for changes.

Each source contributes part of the overall context required to fully understand an event.

Local staging and upload

Audit data is collected locally on each domain controller and written to structured files.

  • Data is staged temporarily on disk

  • Files are periodically uploaded to the control plane

  • Successfully uploaded data is removed from the local system

If connectivity is interrupted, data continues to accumulate locally until it can be uploaded.

Processing and correlation

Once uploaded, audit data is processed to create meaningful, unified events.

During processing:

  • Data from each source is parsed and normalized

  • Related records are correlated across sources

  • Context is enriched with user, system, and timing information

  • Previous and new values are derived where applicable

This step transforms fragmented signals into a single, complete representation of activity.

Event generation

The final output of processing is a standardized audit event.

Each event answers the core investigative questions:

  • Who performed the action

  • What changed or occurred

  • When it happened

  • Where it originated

  • What changed (before and after values, when applicable)

These events are stored and made available in the console for filtering, investigation, and response.

Result

All activity is presented as a unified timeline, enabling administrators to:

  • Quickly identify and investigate changes

  • Reconstruct sequences of activity

  • Detect suspicious or high-risk behavior

  • Take corrective action, including rollback where supported

Notes on data freshness and completeness

  • Audit data is processed continuously and is typically available within seconds to minutes of activity, depending on system load and environment size.

  • Some events may not include complete context if underlying Active Directory data sources do not provide it (for example, certain read operations or system-generated changes).

The system is designed to maximize visibility while maintaining performance and scalability.

×

Loading...