Active Directory forest with centralized forensic logging architecture using Group Policy to enforce advanced auditing and Sysmon telemetry across servers, workstations, and legacy systems. The Forensic_Logging_Policy GPO applies to three organizational units—Servers, Workstations, and Legacy—ensuring consistent telemetry collection across the domain. Endpoints stream Sysmon and Windows Event Log data to a centralized Audit Policy Store, enabling threat hunting and compliance auditing. This architecture demonstrates defense-in-depth logging practices that support incident response, forensic investigations, and regulatory compliance. Fork this diagram on Diagrams.so to customize OUs, add additional collectors, or integrate with SIEM platforms like Splunk or ELK. The tiered design separates Domain, Services, OU, and Logging concerns for scalability and maintainability.