Advanced Threat Detection with Active Directory and SIEM

Abstract

As cyber threats become more sophisticated, traditional security mechanisms relying solely on Active Directory (AD) for authentication and authorization lack real-time threat detection and response capabilities. This project enhances security by integrating AD with Splunk, a Security Information and Event Management (SIEM) solution, within a virtualized environment where Microsoft Server 2022 hosts AD services and a Domain Controller, while Splunk provides centralized security monitoring. PowerShell scripting automates user management and event log monitoring, improving administrative efficiency. To evaluate system effectiveness, a simulated password-cracking attack from a Linux machine (IP: 192.168.10.250) targets the AD server, with Splunk monitoring security logs for real-time anomaly detection, automated threat alerts, and advanced analytics to identify unauthorized access attempts, privilege escalation, and insider threats. The network setup includes grydsecurity, featuring an Active Directory Server (192.168.10.7), a Splunk Server (192.168.10.10), and a DHCP-connected client PC, with RDP restricted on client machines to prevent remote attacks but accessible on the server for administrative purposes. By integrating AD with Splunk SIEM, this system strengthens IT infrastructure security, enhances incident response, ensures compliance with regulatory frameworks such as HIPAA and GDPR, and leverages machine learning-based detection for proactive cyber defense. This project demonstrates a scalable, intelligence-driven security model that combines automation, system administration, and cybersecurity best practices to safeguard enterprise environments.

Introduction

Overview

As cyber threats become more advanced, relying solely on Active Directory (AD) for authentication and access management leaves organizations vulnerable. Traditional AD systems lack real-time monitoring, anomaly detection, and automated response, making them susceptible to insider threats, brute-force attacks, and privilege escalations.

To address these vulnerabilities, this project proposes integrating AD with Splunk, a Security Information and Event Management (SIEM) tool. This integration enables:

• Real-time log analysis

• Machine learning-based anomaly detection

• Automated alerting and response to threats

Existing System – Limitations of Active Directory Alone

AD handles user management and authentication but has serious security limitations:

• No real-time incident detection or response

• Manual log review using Windows Event Viewer

• No log correlation across devices

• Vulnerable to insider threats and complex attack vectors

• Difficult to meet compliance standards (e.g., GDPR, HIPAA, NIST)

The network includes:

• AD server (IP: 192.168.10.7)

• Client PCs connected to AD

• A Linux machine used for attack simulation

• No centralized SIEM system; logs are stored locally

Proposed System – AD + Splunk Integration

The proposed solution integrates Splunk SIEM with Active Directory to enable centralized log collection, real-time threat detection, and automated incident response.

Key Features:

• AD handles identity and access management

• Splunk monitors logs and detects security events

• Virtualized environment hosts both AD and Splunk

• Controlled attack simulations using a Linux machine to validate system effectiveness

System Architecture & Attack Simulation

• Network setup:

  • AD Server: 192.168.10.7

  • Splunk Server: 192.168.10.10

  • Linux Attack Machine: 192.168.10.250

  • Domain: grydsecurity

• Attack scenario:

  • Simulated brute-force password attack on AD

  • Splunk detects failed logins (Event ID 4625), analyzes patterns, and raises alerts

• Security Configuration:

  • RDP is blocked for client machines, reducing exposure

  • DHCP server dynamically allocates IP addresses

Real-Time Detection & Incident Management

Splunk uses:

• Correlation rules and baselines to flag anomalies

• Dashboards for visualizing attacks in real time

• Machine learning for predictive analytics

Event IDs Monitored:

• 4625: Failed logins (brute-force)

• 4720: New user accounts (potential unauthorized access)

• 4767: Account unlocks (possible privilege abuse)

• 1102: Log clearance (possible attack cover-up)

Splunk Universal Forwarders are installed to transmit logs to Splunk Indexer.

Implementation Methodology

The system is deployed virtually with the following components:

• AD Server (Microsoft Server 2022)

• Splunk Server (for analytics and alerting)

• Linux Machine (attack simulator)

• Client PCs

• DHCP server

Logs are continuously monitored and analyzed by Splunk for threats such as unauthorized access, brute-force attacks, and insider activity.

Performance Evaluation & Results

Metrics Evaluated:

• Threat Detection Accuracy: Correctly identified brute-force login attempts

• Response Time: Detected and responded in near real-time

• False Positives: Minimal, indicating accurate rule definitions

• Log Processing Efficiency: Handled large volumes of logs effectively

Observations from the attack simulation:

• Detected a spike in failed logins from the Linux attacker (192.168.10.250)

• Identified repeated attempts to access privileged accounts

• Alerts triggered in real time, notifying admins and displaying attack details on dashboards

Conclusion

The integration of Active Directory (AD) with Splunk SIEM provides a scalable, automated, and intelligence (AI) basedcybersecurityapplications, significantly enhancing security operations through real-time monitoring, automated threat response, and forensic analysis. By addressing the negative considerations of traditional AD security, the proposed system describes a real-time threat detection using SIEM-based log correlation, automated incident response by PowerShell scripting language, and advanced security analytics throughSplunk dashboards. Controlled attack simulations demonstrated the system\'s effectiveness, achieving high detection accuracy, minimal false positives, and improved response automation, effectively reducing attack dwell time and improving operational resilience. This research introduces the importance of integrating AD with Splunk SIEM to establish a proactive analysis and detections analysis, intelligence-driven security framework that strengthens enterprise security, minimizes cyber risks, and ensures regulatory compliance. Through real-time security analysed activities, automated processesand advanced threat analytics, organizations can significantly improve their security posture and adaptability in an evolving threat landscape.

References

[1] J. Smith, R. Johnson, and A. Lee, \"Advanced threat detection in enterprise networks using SIEM and machine learning,\" IEEE Transactions on Cybersecurity, vol. 12, no. 3, pp. 45-59, 2024. [2] M. Patel and T. Gupta, \"Enhancing security monitoring with Active Directory and SIEM integration,\" Proceedings of the IEEE International Conference on Security Analytics, pp. 101-108, 2024. [3] L. Wang et al., \"Real-time anomaly detection in Active Directory environments using AI-driven analytics,\" Journal of Network Security, vol. 18, no. 2, pp. 210-225, 2024. [4] Y. Zhang and P. Kim, \"Cyber threat intelligence integration for SIEM systems: A case study with Splunk,\" Computer Security Journal, vol. 52, pp. 99-113, 2024. [5] S. Hernandez, \"Automated security incident response with SIEM and AD log correlation,\" IEEE Access, vol. 32, pp. 18042-18055, 2023. [6] A. Brazhuk, \"Threat modeling of cloud systems with ontological security pattern catalog,\" International Journal of Open Information Technologies, vol. 9, no. 5, pp. 36-41, 2021. [7] Cisco, \"Cisco Security Alert,\" Cisco Security Advisories and Alerts, Feb. 2018. [Online]. Available: https://tools.cisco.com/security/center/viewAlert.x?alertId=53262. [8] N. Alhebaishi, M. Zulkernine, and T. Khoury, \"Threat modeling for cloud data center infrastructures,\" in Proceedings of the International Symposium on Foundations and Practice of Security, Cham: Springer, 2016. [9] C.-M. L. Chih-Hung Hsieh, \"AD2: Anomaly Detection on Active Directory Log Data for Insider Threat Monitoring,\" in Proceedings of the International Carnahan Conference on Security Technology (ICCST), 2015. [10] P. C. R. V. Parmi, \"An Advanced Approach of Active Directory Techniques,\" International Journal of Information and Technology (IJIT), vol. 7, pp. 1-7, 2015. [11] B. Desmond, J. Richards, R. Allen, and A. G. Lowe-Norris, Active Directory, Sebastopol, CA: O’Reilly Media, Inc., 2013. [12] V. Farhat et al., \"Cyber attacks: prevention and proactive responses,\" Practical Law, vol. 1, pp. 1-12, 2011. [13] J. Kadlec, \"Implementation of an Advanced Authentication Method Within Microsoft Active Directory Network Services,\" in Proceedings of the International Conference on Wireless and Mobile Communication, 2010. [14] G. Tomsho, MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory, 2nd ed., Boston, MA: Cengage Learning, 2009. [15] L. Hunter, Active Directory Field Guide, 1st ed., Burlington, MA: Elsevier, 2005. [16] K. Yamamoto, \"Threat detection methodologies in enterprise networks: A comparative analysis,\" Cybersecurity Research Journal, vol. 16, no. 4, pp. 56-70, 2023. [17] D. Novak and P. Singh, \"Machine learning-based user behavior analysis for anomaly detection in Active Directory,\" Journal of Information Security, vol. 15, no. 3, pp. 67-82, 2022. [18] H. Chen et al., \"Correlation analysis of security logs in SIEM systems: A Splunk-based approach,\" Proceedings of the International Workshop on Security Data Analytics, pp. 22-30, 2021. [19] R. Thompson and E. Garcia, \"Insider threat detection using Active Directory audit logs,\" IEEE Systems Journal, vol. 14, no. 2, pp. 190-202, 2020.

Copyright

Copyright © 2025 Dr. Swapna S., Gokul Nath S, Yogesh S G, Dillikumar P S. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.