Identity & Cloud Monitoring
Active Directory, Azure AD, and AWS IAM — continuous
What it does
AlertMonitor monitors your identity infrastructure continuously — Active Directory, Azure AD (Entra ID), and AWS IAM — for the events that matter most: privilege escalation, account creation outside change windows, anomalous login patterns, and cloud permission misconfigurations. All identity events flow into one unified alert stream, enriched with user context and risk scoring before your analyst sees them.
Why identity is the primary target: Credential-based attacks accounted for over 60% of breach entry points last year. Monitoring network perimeters alone leaves identity completely dark. AlertMonitor brings your AD, Entra, and AWS IAM into the same pane where your network and endpoint security live.
Capabilities
- Active Directory monitoring: new admin accounts, group changes, lockouts, replication failures
- Azure AD / Entra ID: new Global Admins, MFA bypass events, impossible travel, Conditional Access failures
- AWS IAM: overly permissive policy changes, new root account use, IAM key creation and usage
- Anomalous login detection: off-hours access, new source IP, impossible geography
- Account takeover indicators: password spray patterns, credential stuffing signatures
- All identity alerts correlated with endpoint and network context for full attack chain visibility
How it works
Identity data is collected via Azure Monitor / Graph API for cloud identities and WMI/agent-based collection for on-premises AD. AWS CloudTrail events are ingested directly. All events are normalized to a common schema and run through the AlertMonitor AI enrichment engine, which assigns risk scores, flags anomalies against historical baselines, and suppresses known-good noise before analyst review.