> Software > Protect > Identity > Active Directory > Auditing for Active Directory > How auditing works

Event model

The Active Directory audit event model defines how activity in Active Directory is presented as clear, consistent, and actionable audit events.

Overview

Active Directory does not provide a single, complete audit record for each action. Instead, information is distributed across multiple data sources, each contributing part of the overall context.

The audit platform combines this information into a unified event that answers the key questions:

  • Who performed the action

  • What changed or occurred

  • When it happened

  • Where it originated

  • Target Object affected

  • Old Value/New Value (for changes)

Each event is presented in a consistent format, regardless of how the activity was captured behind the scenes.

These enriched events form the foundation for timelines, investigations, and direct remediation actions such as rollback.

Event sources

Audit events are built from multiple sources within Active Directory, each providing part of the overall picture:

Directory changes

Provide authoritative information about what changed, including object updates and new values.

Security event logs

Provide user and system context, such as who performed an action and authentication activity.

Snapshot data

Provides baseline object state, enabling before-and-after comparisons and rollback.

These sources work together to produce a complete and reliable audit record.

What an audit event looks like

Each audit event represents a fully correlated and enriched record of activity in Active Directory.

An event includes:

  • Severity: Indicates the security importance of the event

  • Detected Time: When the activity was observed

  • Change Type: Create, Modify, Delete, or Authentication

  • Actor: The user or system responsible

  • Domain: The AD domain where the action occurred

  • Target Object: The affected AD object

  • Description: Human-readable summary of the action

  • Before/After Values: For modifications (when applicable)

For example:

  • A new user was created

  • A user attribute was modified

  • A directory object was deleted

This standardized structure ensures consistency across all event types and enables easy filtering, investigation, and rollback.

Event categories

Audit events fall into the following categories:

Change events

  • Object creation, modification, and deletion

  • Attribute updates

  • Group membership changes

These are the primary focus of the auditing system and include full before/after context.

Authentication events

  • Logon successes and failures

  • Kerberos and NTLM activity

These provide visibility into access patterns and potential attack signals.

Noise reduction

Active Directory generates large volumes of routine activity, such as authentication traffic and background system operations.

The platform applies filtering and classification to:

  • Reduce noise

  • Highlight meaningful changes

  • Prioritize high-impact events

This ensures that important activity is easy to identify without being overwhelmed by low-value data.

Limitations

Some activities in Active Directory are inherently difficult to capture with full fidelity:

  • Certain actions may lack complete user attribution

  • Rapid successive changes may appear as a single final state

The system is designed to maximize visibility while maintaining performance and usability.

Summary

The Event Model transforms fragmented Active Directory activity into:

  • Clear, consistent audit events

  • Complete context for investigation

  • Actionable insights for security and recovery

By presenting all activity in a unified format, Commvault makes it easier to understand what happened, who was involved, and how to respond.

×

Loading...