I'm Shawn Barker, product manager at Quest Software. Today I'm going to demonstrate how On Demand Audit can simplify the searching and alerting on suspicious logging activity in your Active Directory, Office 365, or hybrid environment. With Change Auditor for logon activity, you can promote better security, auditing, and compliance in your organization by capturing, alerting, and reporting on all user logon, logoff, and sign-in activity, both on premises and in the cloud.
With just a few clicks, you can pair Change Auditor and On Demand Audit to get a single hosted view of all changes made across AD, Azure AD, and Office 365. Change Auditor's on-prem agents ensure that you can continue to collect high-fidelity on-premises activity, including authentication, an On Demand Audit makes it very easy to search and alert on that data.
I'll start with some searches. I'll look at all logon activity that has occurred in the last seven days and run that report. You can see that the report generates very quickly. It's also super simple to modify these reports with On Demand Audit. Instead of seven days, I'm going to change the time range to 14 days. And you can see the new results are reflected immediately.
Logon activity results include both user logons, as well as server and application authentications. In this case, I'm troubleshooting a problem related to a user. So I'll exclude all computer accounts from my search. To do this, I can add a filter on the User Actor field, and I can exclude all accounts that have a dollar sign in them, which indicate that they're a machine account. Now I have a much smaller result set to work with, which is going to make troubleshooting much easier.
Let's take a look at a typical logon activity event. Every event within On Demand Audit has a very concise summary. The event displays the most important details at the top, and I can see the user account that authenticated, the domain controller it authenticated to, where the logon request originated, and if it failed, I can see the reason for the failure.
If this was a user that I was suspicious about, and I want to do some further investigation, right from the event, I can focus my search on just this user account. Now I have an audit trail of all activity that has been performed by this user. I'm not so concerned about all the other logon activity associated with this user right now, because it's going to be fairly noisy. So I'll exclude that from my search.
And I'll take a look at all the activity that this user initiated in Active Directory within a similar time frame of that suspicious logon. Here are all the AD changes that this user made. And in this particular example, I'm looking at-- it shows a server that they moved within Active Directory, along with all the details of that move, including the before and after values.
Another logon activity use case is identifying users, but more likely applications, which are using older versions of authentication protocols, in this case, NTLM version 1. I run the report, get quick results. I see a lot of noise from these Exchange Help mailboxes. And I want to investigate that. But for the moment, I'm going to exclude them from my search to see if there are any other applications that are using NTLM version 1. I can do this quickly by adding a filter to my existing search.
Now, I actually want to exclude these mailboxes. I'm going to quickly change the search criteria to does not contain. And now I can see the other application that's using NTLM version 1. I can look at the Event Summary, see that the application is using a built-in account I can see the server that it is authenticating to and the originating IP address. And if I scroll down further into the details, I can see the origin name, which will give me some additional context as to what application is initiating these requests.
On Demand Audit is not only auditing on-premise logging activity, but also Azure Active Directory sign-ins. I'm going to look at all the failed Azure AD sign-ins here and show a sample event. The event summary lays everything out for me, the user account that failed to sign in, the application they were attempting to sign in to, the geographical region the sign-in originated from, and the reason for the failure.
Another great feature of On Demand Audit is that I can take the result of any search and turn it into a dashboard. This feature visualizes my results, puts them into a dashboard for me. There's a sign-ins dashboard as well. For these failed sign-ins, I can filter by user. I can see the applications that they attempted to access. I can see the failure trend over time. And they're also plotted on a map for me, which makes it very easy to find anomalous activity.
Finally, On Demand Audit can also detect potential exploits of the well-known Kerberos vulnerability known as golden tickets or pass the ticket. This is when a hacker uses a tool like Mimikatz to generate a Kerberos ticket that mimics a valid user in Active Directory and has a very long lifetime. The event details will tell you which user they are impersonating, as well as the SID, which is important in this case, as it may not match the username the hacker provided in the ticket.
In this case, the hacker used a well-known built-in administrator SID, which is going to give them elevated privileges. Since the username can't be relied on, and the hacker could have multiple golden tickets, if I want to track the hacker's other actions, I can create a search right from this event to see all activity that originated from the same machine IP. Finally, with the click of a button, I can turn this search into a proactive alert so I'm notified the next time an exploit is detected.
As you've seen today, the On Demand Audit hybrid suite with Change Auditor enables you to accelerate investigations, troubleshoot the source of failed logons, detect the use of Kerberos vulnerabilities, and identify users and applications which are still using legacy authentication methods.