0 Replies Latest reply on Jul 18, 2016 2:07 AM by fazl azeem

    LEM

    fazl azeem

      I want to know that, how can LEM provide details about the given points below:

       

      Microsoft Windows Active Directory Server

      Unusual Login Activity (from different locations/country)

      Unauthorized Password Resets

      Unusual Password Reset Attempts

      Access to NON-AUTHORIZED devices

      Brute Force Login Attempts using the same username (password dictionary)

      Brute Force Login Attempts from the same source IP

      Multiple accounts login from single host

      Privileged Account Usage

      Successful logins from untrusted locations

      User logged in from source IP local within LAN

      Suspicious Admin Activity such as privileged access and remote execution

      High number of login failure for the same account within a short period of time

      High number of login failure for the different account within a short period of time

      Identify when admin user clears the audit logs from the windows server

      Failed Logins with disabled accounts

      Failed logins with admin IDs

      Logon Failure - A logon attempt was made by a user who is not allowed to log on to this computer

      Logon Failure - A logon attempt was made using an expired account

      Windows Security Log is full

      Detection of system time changes

      User added and removed within a short period of time

      Detection of users being added or removed from the admin group

      Multiple Failed Login attempts (more than 3) for the same user ID followed by a successful login

      Detection of adding user account to a privilege group

      Detection of any logon event as built-in administrator

      Detection of audit policy changes

      Detection of domain policy changes

      Detection of high privileges user granted

      Detection of logon

      User account enabled

      Local user created

      A new service installed

      Modification to a Group Policy Object

      Permissions Change to an Organizational Unit

      Group policy object links changed on an organizational unit, or Enforced enabled or disabled

      Organizational Unit deleted

      Group Policy Object deleted

      Detection of adding an object to a security group (e.g. domain controller)