We are auditing our Active Directory environment, For auditing purpose we are using logs (Eventviewer).
Some time our logs fully occupied by 521 event id, So auditing data will be losses.
521 event format:https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=521
So is there any other possibility to get events by Windows Driver.
We need solution like file system minifilter.
Github link : https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter
Note:
We need to intercept AD object creation,modify activities from Windows Driver.