Using Netwrix Auditor’s
Quick, step-by-step examples that illustrate
how to use
its powerful capabilities
An information security officer investigates a rogue
A systems administrator tracks down the root cause of a failure to quickly restore operations.
A security analyst investigates contractor activity and changes to contractor permissions.
An IT manager easily answers questions during an audit to prove compliance with regulations.
Keeping a close eye on privileged users
As an information security officer, you have oversight responsibility to ensure that privileged users are not abusing their elevated permissions. You also need to perform regular spot checks on privileged users in order to detect irrelevant permissions, unauthorized admin actions and instances of possible impersonation.
Let's see how you can use the Interactive Search to perform a spot check on an admin and then
a complex series of suspicious actions.
Check for activity outside area of responsibility
Let’s begin our spot check of the administrator by seeing whether he did anything outside Active Directory, which is his sole area of responsibility by scenario. We start by switching to Admin credentials.so we can use right off. We’ll use the operator in order to include all systems except for Active Directory. The results show that he hasn’t taken any actions that the scope of his role using his Domain
Scrutinize actions more closely
Now let’s tweak our is interesting!to carefully scrutinize his actions in Active Directory, keeping in mind that his Domain Admin rights give him ample opportunities for misconduct. We are not interested in the mass of actions that — the quality of the admin’s work is his supervisor’s concern, not ours. Rather, we’re looking for any indicators of improper or otherwise suspicious behavior that may have far-reaching consequences. Hey, this one
Glimpse an incident
We found an know about.that tells us about an administrative password reset for a highly privileged user. Let’s to open it. Since this user is the Head of Accounting and Finance, if her account were to be compromised, the imposters would be able to access sensitive corporate data. Let’s look closer at related activities — there might be something else we should
Interesting — weuser password change for this account, which should normally follow the administrative password reset. Effectively, now the admin knows the credentials of the Chief Accountant. We really need to take a look at the activity of this user account on critical . Although it did take us some time to browse through activity trails, it wasn’t in vain because we ended up discovering of sensitive financial files. Let’s of that.
Get more context
It’s time to ring the alarm, but let's not leave Interactive Search quite yet. We should try to get as much context around the incident as possible. First, let’s see which workstation was used to make those changes. Hey, it was anfrom through a remote connection. Because the Interactive Search gives us the workstation name, check the inventory list. Oh, this is bad — that workstation is assigned to our admin! Let’s note the time when the interactive logon took place and save
Check the video evidence
Before we escalate the incident, let's see if we can get some more evidence. Luckily, user activity video recording was set up on the Chief Accountant’s workstation a long time ago because of the importance of her role and the sensitivity of the data she accesses. So now we can search for different ones.to see exactly how file content was modified and what files were deleted. Here! The videos show that some payment figures and company details to totally
Escalate the incident and keep digging
We discovered a serious data integrity break and password change.. Although the malicious actions were performed using the , the domain administrator whose workstation was used to access the user computer is under a cloud of suspicion. It’s definitely the right time to escalate the case. But in parallel, we should continue analyzing the actions taken using both the admin and the Chief Accountant’s accounts. Hey, look! There’s a to prohibit a user
Inquest and revelation
The inquest revealed the full story: The rogue administrator produced multiple
failed logons while the Chief Accountant was on vacation, thereby locking her
account. He did so to induce her to act in a particular way. When she returned
to the office, she couldn’t log in and had to call the helpdesk. On the pretext
of the official user request, the administrator reset the password but
disallowed user password change. As a result, he obtained a valid password for
the account. Later, he logged in to her machine via a Remote Desktop Connection
and performed illicit actions,
attempting to frame her for them.
Investigating an Exchange Server outage
As a systems administrator, you have a broad scope of responsibilities around servers, operating systems, applications, backups and more. When an issue occurs that leads to an outage, you have to quickly identify the root cause so you can restore normal operations.
Let's see how you can use the Interactive Search to find out what’s causing an Exchange service outage.
Set up the search
In the case of Exchange outage, our primary goal is to restore normal email service to reduce the impact on business continuity. After that, we need to investigate further to prevent future outages. So, first, let’s use Interactive Search to find all changes made to Exchange since yesterday. We’ll switch to and yesterday.to use conditional operators for more precise filtering. filter Data source, operator Equals, value Exchange. We want to see all modifications and deletions first, so let’s select accordingly. Finally, we should specify the — it’s reasonable to look into today
We found an activity record that tells us that some Exchange server configuration.. Hey, that is probably what prevented users from sending outbound emails. Thanks to Interactive Search, we now know not only the likely root cause of the problem, but critical details such as and the that was modified. With this information, we now can repair the Exchange
Looking behind the issue
Once we have restored normal Exchange service, we need to figure out how somebody was able to change the Exchange configuration and cause the downtime. Again using the advanced mode, let’s select the user and Exchange.and type Exchange. Next we switch back to . In the search field, we’ll type in the user name we discovered earlier, without specifying any filter type. (Note that we could have achieved the same thing in advanced mode by choosing the and providing the user name in the Value field.) Now we can take a closer look at the activities related to that
Honing in on the details
Because we provided the user name without specifying any filters, we can see the actions that this user took related to Exchange configuration, as well as the actions performed by anyone else in relation to that user account and Exchange. Oh, here’s a record showing that someone made specific we used before.. Let’s see what else was done in relation to this account. We simply erase Exchange and type in the user name as the . We also remove the other filter
We discover when the user account report later., and see that it was later added to the Exchange security group and then . We also find that the for this account. All of these actions were performed by who recently joined the team. Later, we’ll have to carefully scrutinize his actions in all other systems for signs of improper behavior and enable video recording on his machine. But the information we have already obtained is enough to escalate the current incident. Let’s do a new search using , and . Let’s also so we can quickly run the same
Investigating contractor activity and changes
to contractor permissions
As a security analyst on the InfoSec team, you are responsible for reducing the likelihood of data misuse, verifying that corporate security policies are followed, conducting internal audits, and more. When temporary workers or contractors get access permissions inside your network, you need to ensure that these individuals are not abusing those permissions. You must also verify that access rights are revoked when people are off-boarded.
Let's see how you can use the Interactive Search to inspect whether contractor activity inside
your network is appropriate.
Has anyone changed a completed project?
Let’s start by verifying that there is no activity on know about it.related to completed projects. We’ll from the search. That way, if we discover any activity, it will likely mean that access rights have not been properly revoked or contractor accounts have not been disabled. Phew, there’s . But we should to be on the safe side, so that if anyone knocks on that door, we’ll
Has our DBA launched any executables?
The role of Oracle Database administrator is limited to provisioning and managing specific database instances, performance tuning, and backup and recovery. For security reason, let’s use the Interactive Search to find out whether the contractor in that role has ever launched any executables — for instance, files with extensions such as contractual assignment.. If she did, let’s find and watch of what happened there. OK, we found that detail the applications that the DBA launched for unknown reasons. Now let’s click to play back the . This provides us with an accurate picture of what the contractor did and supporting evidence of her stepping away from her
Has anyone changed a contractor’s folder permissions?
What if the access rights assigned to one contractor at the start of the project were later changed by someone on the IT team? Such a change might be appropriate in the natural course of the project, or it might be a kind — but possibly still inappropriate — response to a request by the contractor for additional rights. We need to know, because excessive access rights can lead to data exfiltration. Let’s check a those changes.first and find all permissions changes that concern the . We also specify the to be more precise. Here! The Interactive Search returned telling us that the contractor was granted “Allow all access” permissions on the folder in question. We should so we can easily refer it later when we talk to the individual who made
Has anyone changed a contractor’s group membership?
As we just saw, one way to elevate a user’s rights is to change their folder permissions. But another way is to change their group membership. Let’s see if this also happened to the contractor we’re investigating. All we need to do is modify our selection criteria slightly. We select right now.for the Object type filter and remove the other filter. We also remove the What filter. The contractor was — wow, this is serious! We should save this search as we did before. Let’s also we found and paste that info into a couple of emails that we need to send
Has there been any irregular access to resources?
The legal attorney we contracted to represent our company’s interests in a legal action should be accessing only the specific resources she needs to perform her job. Let’s check for any activity by that user outside of the permitted shared folder. We start by specifying the attorney’s other locations.as the Data source; then we should exclude the (note that we use operator “Does not contain” for these filters); we also provide the date range. Huh — we found that show that the person managed to delete a few files from another folder outside of business hours. Let’s check her to see if she tried to access any
Easily answer questions during an audit
to prove your compliance
As an IT manager, you strive to reduce cost and increase the efficiency of IT operations, maximize control over your IT infrastructure, plan and execute data security enhancements, and much more. You also need to translate compliance requirements into clear IT lingo for your technical employees and handle information requests from internal compliance officers or external auditors, providing the evidence they request within minutes.
Let's step through how Interactive Search can help with several common questions auditors ask.
Has anyone improperly accessed a shared folder that contains sensitive data?
Suppose we’re asked to prove that a particular shared folder containing regulated data hasn’t been accessed by anybody who shouldn’t access it during the past month. Using advanced mode, we specify the last 30 days.using the . We in order to skip any administrative activity on the folder. That’s it — here we have a list of all users who over the
Can you prove you know about group membership changes right away?
Now the auditor asks for something that wasn’t even on the checklist we received two weeks ago: “Prove that you always know of any changes that occur to the membership of the Active Directory group that regulates access to the regulated data”. Ouch! We can surely track those changes down but unfortunately we haven’t set up email alerts yet. Luckily, the auditor says it’ll satisfy her if we do it right now. OK, let’s select as they occur.and specify the for the What filter. We can from the , since the auditor is concerned with successful changes only. Now we simply , which will be triggered any time the group membership changes. That way, we ensure that appropriate staff will know about changes as soon
Are you able to monitor user account provisioning and deprovisioning?
The auditor is technically savvy enough to know that lingering user accounts of uncertain purpose create opportunities for imposters to break into our network. To verify our security polices, we need to show a list of all user accounts that have been created, deleted or modified in Active Directory over the previous 6 months. Let’s go for it. In the advanced mode of Interactive Search, we specify a PDF file.and , and we provide the time range. The provide all the key details, including exactly what happened, who did it and when. To pass a hard copy of this information to the auditor, we to
What’s going on with this one odd user account?
The auditor notices that one of the user accounts on the list we generated was removed shortly after it was created, and she wants to know more about that person. We check the HR employee list, but no employee with that name is currently on board. It’s time to investigate the issue. Let’s use the Interactive Search to see all actions that this user performed and also any actions directed at this account. In a simple mode, we just need to the audit.in the search field, limit the to the period between the dates of account creation and deletion, and press Enter. Fortunately, the Interactive Search proves that were ever granted to this user by any means, which is a relief in front of the auditor. Of course, the question of why the account was created remains, and we’ll be able to use Interactive Search to investigate that after we’ve passed
Were all changes to Group Policy properly tracked in our ticketing system?
The auditor shows us a list of Group Policy change requests printed out from our corporate change management and ticketing system; apparently, she already had a chance to talk to some members of the IT team. So now we’re faced with the task of producing a list of all Group Policy changes that were actually made, so she can compare it with the list of requested changes. In advanced mode, let’s select management system.and specify the . We now see and we can exclude the ones , if necessary. Now we can demonstrate that all the changes made to Group Policy correspond to tickets on the auditor’s list, proving the efficacy of our change