Active Directory Auditing vs Active Directory Monitoring
IT administrators often tend to think that auditing and monitoring are one and the same. If you've held on the same notion, you are not entirely wrong. However, there are a few key differences between the two, and these differences can mean a lot when you report on the system log data.
Windows auditing is the analysis and detection of changes within AD, Exchange, SQL, and file servers. Windows has included auditing in its offerings since the launch of Windows NT. Auditing can help administrators identify security gaps and implement steps to improve security by analyzing security and systems events. By tracking and, in extension, auditing the activity that happens in computers, administrators can identify cyber threats, help reduce threat surfaces, and stay in line with regulatory industry compliances.
These audits generally happen once in a year, where the auditors take a look at the system logs at a point-in-time basis and suggests remedial measures to improve security based on the event and system logs.
However, since auditing only looks at the logs only at the given moment, it cannot be considered as a proactive measure for spotting an attack. To simply put, an audit can help administrators understand how an attack was carried out, but cannot alert them when the attack is taking place. This is where AD monitoring comes in.
AD monitoring is essentially, truly continuous auditing, that can warn administrators of anomalies in the logs, and spot signs of an attack even before it is carried out. Both auditing and monitoring should be used in conjecture by administrators to amp up the security of an organization.