May the 4th Be with You: The Force Awakens with AD/Windows Security Investigation Tools

"There's been an awakening. Have you felt it?" ― Supreme Leader Snoke

SIEM solutions are great for security teams that need to collect and analyze logs across the entire network. This is a necessary evil, like the dark side, but presents a few problems to ensure the protection of Microsoft Windows servers:

  1. Often Microsoft administrators lack real-time access to SIEM data.
  2. Windows native logs create a lot of noise--which can add to the cost and size of SIEM databases.
  3. Windows native logs are difficult to decipher.
  4. SIEM solutions may not do a good job of correlating data between disparate systems.
  5. SIEM solutions may not automate remediation and recovery.

At Quest, we want to bring balance to the Force with a relatively new solution with Jedi Master powers: IT Search. This powerful and seductive web-based search tool allows you to easily correlate disparate data across your Windows environment, including log data and server permissions.

IT Search allows Microsoft admins to bypass native logs and use a "Google like" search tool to investigate data breaches from the dark side.

Let's Take a Look:

Perform on-the-fly compliance and security investigations with natural-language, intuitive search terms. Here we searched for "Administrator" and the results show Who, When, Workstation, and Where.

  

 

Quickly find what you’re looking for with contextual filters. By drilling down into administrator and performing filtering by date, What and Workstation we see more details.

 

View event-data relationships to speed up IT investigations. Drilling down further with a few clicks, we investigate one of our admins, Marian Richardson. We can easily click to see activities, files/folders owned and permissions.

 

Easily understand the “who, what, where and how” of user access. Here we're investigating access rights to Bonuses.txt within a Finance share.

 

Leverage full text-search capabilities for historical data. Here we're investigating which admin accounts have full control over .txt files.

<

 

Use the History tab to see before and after value changes to AD objects and perform restores on the fly.

  

 

To learn more about how you can rebel against the dark side and perform quick forensic investigations into security breaches, read our white paper: Tick! Tock! Have You Detected the Intruder Inside Your Network Yet?

P.S. You'll also see how we can complement your SIEM solution for better security.

Anonymous