This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

User activity audit question

k_bolt over 1 year ago

Hello everyone.

My team is looking for a SIEM and SEM looks promising. I see that it can pull logs & events from Windows nodes via agent. What kind of user activity would that agent be able to pull to send to SEM?

This is in an AD environment, domain-joined PCs. Would it only be able to capture logon/logoff events? Or can it report on what the user does on the local machine? Say changing the default web browser, installing some unwanted software, or even open CMD or Powershell? Some of these PCs are shared so I can't depend on the InsertionIP or DetectionIP as seen in the demos, so I want to be able to trace user activity back to the user who did it, basically non-repudiation.

It's hard to describe the anomalous behavior but basically we want to catch it, if it happens. Am I asking for too much here? Please let me know. Thanks.

Parents

0 npatterson over 1 year ago

You can monitor the majority of what you're asking but please note this will required to enable additional audit policy controls that are not turned on by default.

Logon and off YES

installation of software yes

cmd PowerShell must enable more audit controls

the most time the ad username is presented in transactions.

UEBA is not present for anomalous behavior so this it not going to work.

This will take a little research but you must determine what event ID for windows your want and make sure the corresponding audit rules are enabled.

I good start is to use the MS security baseline for policy control

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10

Hope this Helps
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 npatterson over 1 year ago

You can monitor the majority of what you're asking but please note this will required to enable additional audit policy controls that are not turned on by default.

Logon and off YES

installation of software yes

cmd PowerShell must enable more audit controls

the most time the ad username is presented in transactions.

UEBA is not present for anomalous behavior so this it not going to work.

This will take a little research but you must determine what event ID for windows your want and make sure the corresponding audit rules are enabled.

I good start is to use the MS security baseline for policy control

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10

Hope this Helps
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data