Active Directory Protection & SIEM with Threat Prevention & Threat Manager

Overview

Implemented Netwrix Threat Prevention (formerly Stealth Intercept) for Active Directory security, and Netwrix Threat Manager as the SIEM. Configured playbooks and set preemptive actions against threats.

Roles and Responsibilities

Deployment & Configuration

• Deployed Stealth Intercept agents on domain controllers, privileged admin workstations, and key servers.
• Configured Threat Manager to ingest agent telemetry, analyze behavior, and classify events.
• Enabled and customized playbooks to respond to suspicious AD activities (e.g., authentication anomalies, privilege escalation).

Security Hardening & Automation

• Implemented role‑based access and least‑privilege for Threat Manager UI and playbook execution.
• Secured communications between Stealth Intercept agents and the SIEM.

Testing & Scenario-Based Verification

• Designed and ran attack simulations (lateral movement, privileged account compromise, suspicious logins) to validate alerting and automated responses.

Threat Simulation

Simulated real-world AD attacks to validate detection and responses:

• Mimikatz credential extraction & DC sync attempts
• PowerShell-based password spray
• Unauthorized changes to privileged/default/custom AD groups
• Verified rules blocked or alerted on malicious actions and triggered correct playbooks.

Documentation & Knowledge Transfer

• Produced architecture diagrams, deployment guides, playbook configurations, and response runbooks.

Impact

• Improved detection and response; reduced MTTR via automated playbooks.
• Reduced manual workload by automating common AD threat scenarios.
• Strengthened AD security posture with visibility into privileged behavior and anomalies.
• Enhanced compliance and audit readiness with detailed event and response trails.

Tools & Technologies used