Upon request from our security people, I have made a PowerShell module that collects non-log data from AD and pushes it as logs to the loginsight server. This way they can have a Dashboard of data that is either not accessible from logs, or where log retreival would mean a massive search from all data available, and thus very slow searches. I have built this in this way:
1. Powershell scripts running as scheduled jobs on a Windows server, these send the result data as log entries to loginsight
2. PowerCli scripts running as scheduled jobs on a Windows server, these send the result data as log entries to loginsight
I am right now working on collecting all the desired data i can deliver easily, but would appreciate ideas for more extracts that fits the purpose here.
These are the current data i am extracting and converting to logs:
1. Inactive users in AD (havent logged in withing 90+ days) With 1 log entry pr user, included last logondate and full name
2. Service accounts that havent been logged in for x number of days (possibly inactive)
3. Total number of inactive accounts and some other stats. (not possible to extract from logs, as inactive accounts do not generate logs)
4. Number of accounts in AD With Domain Admin Access, and also some other Access Levels. Also a list of these.
5. Servers/Machines that havent been active for the last 90/180/360 days
6. Servers in specific OUs, that do not have a corresponding VM registered
7. VMs that do not have an AD Object Associated With it
So now I am looking for ideas to more such type information that others would like to see in a package of this type. As I have been working on specific requests it has been easy for me so far, but what would others like to see in such an extract package?