Interactive Search

Using Netwrix Auditor’s
Interactive Search

Quick, step-by-step examples that illustrate
how to use
its powerful capabilities

Monitoring privileged users

An information security officer investigates a rogue
admin’s activity.

Investigating a service outage

A systems administrator tracks down the root cause of a failure to quickly restore operations.

Keeping an eye on contractors

A security analyst investigates contractor activity and changes to contractor permissions.

Passing compliance checks

An IT manager easily answers questions during an audit to prove compliance with regulations.

Use case 1

Keeping a close eye on privileged users

Of most interest to Information Security Officer

As an information security officer, you have oversight responsibility to ensure that privileged users are not abusing their elevated permissions. You also need to perform regular spot checks on privileged users in order to detect irrelevant permissions, unauthorized admin actions and instances of possible impersonation.

Let's see how you can use the Interactive Search to perform a spot check on an admin and then untangle
a complex series of suspicious actions.

Check for activity outside area of responsibility

Let’s begin our spot check of the administrator by seeing whether he did anything outside Active Directory, which is his sole area of responsibility by scenario. We start by switching to advanced mode so we can use conditional operators right off. We’ll use the operator “Not equal to” in order to include all systems except for Active Directory. The results show that he hasn’t taken any actions that fall beyond the scope of his role using his Domain Admin credentials.

Scrutinize actions more closely

Now let’s tweak our exclusion filters to carefully scrutinize his actions in Active Directory, keeping in mind that his Domain Admin rights give him ample opportunities for misconduct. We are not interested in the mass of actions that look normal — the quality of the admin’s work is his supervisor’s concern, not ours. Rather, we’re looking for any indicators of improper or otherwise suspicious behavior that may have far-reaching consequences. Hey, this one is interesting!

Glimpse an incident

We found an activity record that tells us about an administrative password reset for a highly privileged user. Let’s double click to open it. Since this user is the Head of Accounting and Finance, if her account were to be compromised, the imposters would be able to access sensitive corporate data. Let’s look closer at related activities — there might be something else we should know about.

Investigate further

Interesting — we couldn’t find any user password change for this account, which should normally follow the administrative password reset. Effectively, now the admin knows the credentials of the Chief Accountant. We really need to take a look at the activity of this user account on critical file shares. Although it did take us some time to browse through activity trails, it wasn’t in vain because we ended up discovering bulk modifications and deletions of sensitive financial files. Let’s save a copy of that.

Get more context

It’s time to ring the alarm, but let's not leave Interactive Search quite yet. We should try to get as much context around the incident as possible. First, let’s see which workstation was used to make those changes. Hey, it was an interactive logon from another workstation through a remote connection. Because the Interactive Search gives us the workstation name, check the inventory list. Oh, this is bad — that workstation is assigned to our admin! Let’s note the time when the interactive logon took place and save a copy of the search results.

Check the video evidence

Before we escalate the incident, let's see if we can get some more evidence. Luckily, user activity video recording was set up on the Chief Accountant’s workstation a long time ago because of the importance of her role and the sensitivity of the data she accesses. So now we can search for relevant video records to see exactly how file content was modified and what files were deleted. Here! The videos show that some payment figures and company details were changed to totally different ones.

Escalate the incident and keep digging

We discovered a serious data integrity break and data destruction. Although the malicious actions were performed using the Chief Accountant’s account, the domain administrator whose workstation was used to access the user computer is under a cloud of suspicion. It’s definitely the right time to escalate the case. But in parallel, we should continue analyzing the actions taken using both the admin and the Chief Accountant’s accounts. Hey, look! There’s a change the admin made to prohibit a user password change.

Inquest and revelation

The inquest revealed the full story: The rogue administrator produced multiple failed logons while the Chief Accountant was on vacation, thereby locking her account. He did so to induce her to act in a particular way. When she returned to the office, she couldn’t log in and had to call the helpdesk. On the pretext of the official user request, the administrator reset the password but disallowed user password change. As a result, he obtained a valid password for the account. Later, he logged in to her machine via a Remote Desktop Connection and performed illicit actions,
attempting to frame her for them.

Use case 2

Investigating an Exchange Server outage

Of most interest to Systems Administrator

As a systems administrator, you have a broad scope of responsibilities around servers, operating systems, applications, backups and more. When an issue occurs that leads to an outage, you have to quickly identify the root cause so you can restore normal operations.

Let's see how you can use the Interactive Search to find out what’s causing an Exchange service outage.

Set up the search

In the case of Exchange outage, our primary goal is to restore normal email service to reduce the impact on business continuity. After that, we need to investigate further to prevent future outages. So, first, let’s use Interactive Search to find all changes made to Exchange since yesterday. We’ll switch to advanced mode to use conditional operators for more precise filtering. We select filter Data source, operator Equals, value Exchange. We want to see all modifications and deletions first, so let’s select action filters accordingly. Finally, we should specify the date range — it’s reasonable to look into today and yesterday.

Repair

We found an activity record that tells us that some Exchange send connectors were misconfigured. Hey, that is probably what prevented users from sending outbound emails. Thanks to Interactive Search, we now know not only the likely root cause of the problem, but critical details such as who made this change and the name of the send connector that was modified. With this information, we now can repair the Exchange server configuration.

Looking behind the issue

Once we have restored normal Exchange service, we need to figure out how somebody was able to change the Exchange configuration and cause the downtime. Again using the advanced mode, let’s select the filter What, operator Contains and type Exchange. Next we switch back to simple mode. In the search field, we’ll type in the user name we discovered earlier, without specifying any filter type. (Note that we could have achieved the same thing in advanced mode by choosing the filter Everywhere, operator Contains and providing the user name in the Value field.) Now we can take a closer look at the activities related to that user and Exchange.

Honing in on the details

Because we provided the user name without specifying any filters, we can see the actions that this user took related to Exchange configuration, as well as the actions performed by anyone else in relation to that user account and Exchange. Oh, here’s a record showing that someone made specific changes related to the user account. Let’s see what else was done in relation to this account. We simply erase Exchange and type in the user name as the value for the filter What. We also remove the other filter we used before.

Establishing accountability

We discover when the user account was first enabled, and see that it was later added to the Exchange security group and then removed shortly afterward. We also find that the administrative password was reset for this account. All of these actions were performed by another admin who recently joined the team. Later, we’ll have to carefully scrutinize his actions in all other systems for signs of improper behavior and enable video recording on his machine. But the information we have already obtained is enough to escalate the current incident. Let’s do a new search using the admin's name in the search field, and save the results to a PDF file. Let’s also save this search so we can quickly run the same report later.

Use case 3

Investigating contractor activity and changes to contractor permissions

Of most interest to Security analyst

As a security analyst on the InfoSec team, you are responsible for reducing the likelihood of data misuse, verifying that corporate security policies are followed, conducting internal audits, and more. When temporary workers or contractors get access permissions inside your network, you need to ensure that these individuals are not abusing those permissions. You must also verify that access rights are revoked when people are off-boarded.

Let's see how you can use the Interactive Search to inspect whether contractor activity inside
your network is appropriate.

Has anyone changed a completed project?

Let’s start by verifying that there is no activity on archive folders related to completed projects. We’ll exclude our admins from the search. That way, if we discover any activity, it will likely mean that access rights have not been properly revoked or contractor accounts have not been disabled. Phew, there’s nothing there. But we should create an alert to be on the safe side, so that if anyone knocks on that door, we’ll know about it.

Has our DBA launched any executables?

The role of Oracle Database administrator is limited to provisioning and managing specific database instances, performance tuning, and backup and recovery. For security reason, let’s use the Interactive Search to find out whether the contractor in that role has ever launched any executables — for instance, files with extensions such as .exe, .bat, and .msi. If she did, let’s find and watch video recordings of what happened there. OK, we found activity records that detail the applications that the DBA launched for unknown reasons. Now let’s click “Show video…” to play back the recorded screen activity. This provides us with an accurate picture of what the contractor did and supporting evidence of her stepping away from her contractual assignment.

Has anyone changed a contractor’s folder permissions?

What if the access rights assigned to one contractor at the start of the project were later changed by someone on the IT team? Such a change might be appropriate in the natural course of the project, or it might be a kind — but possibly still inappropriate — response to a request by the contractor for additional rights. We need to know, because excessive access rights can lead to data exfiltration. Let’s check a specific shared folder first and find all permissions changes that concern the particular contractor. We also specify the date range and object types to be more precise. Here! The Interactive Search returned activity records telling us that the contractor was granted “Allow all access” permissions on the folder in question. We should save this search so we can easily refer it later when we talk to the individual who made those changes.

Has anyone changed a contractor’s group membership?

As we just saw, one way to elevate a user’s rights is to change their folder permissions. But another way is to change their group membership. Let’s see if this also happened to the contractor we’re investigating. All we need to do is modify our selection criteria slightly. We select “Group” as the new value for the Object type filter and remove the other filter. We also remove the What filter. The contractor was added to a security group — wow, this is serious! We should save this search as we did before. Let’s also copy the key details we found and paste that info into a couple of emails that we need to send right now.

Has there been any irregular access to resources?

The legal attorney we contracted to represent our company’s interests in a legal action should be accessing only the specific resources she needs to perform her job. Let’s check for any activity by that user outside of the permitted shared folder. We start by specifying the attorney’s account name and selecting file servers as the Data source; then we should exclude the allowed network folder and any failed actions (note that we use operator “Does not contain” for these filters); we also provide the date range. Huh — we found activity records that show that the person managed to delete a few files from another folder outside of business hours. Let’s check her failed activity to see if she tried to access any other locations.

Use case 4

Easily answer questions during an audit to prove your compliance

Of most interest to IT manager

As an IT manager, you strive to reduce cost and increase the efficiency of IT operations, maximize control over your IT infrastructure, plan and execute data security enhancements, and much more. You also need to translate compliance requirements into clear IT lingo for your technical employees and handle information requests from internal compliance officers or external auditors, providing the evidence they request within minutes.

Let's step through how Interactive Search can help with several common questions auditors ask.

Has anyone improperly accessed a shared folder that contains sensitive data?

Suppose we’re asked to prove that a particular shared folder containing regulated data hasn’t been accessed by anybody who shouldn’t access it during the past month. Using advanced mode, we specify the folder in question using the operator Contains. We exclude our legit admins in order to skip any administrative activity on the folder. That’s it — here we have a list of all users who accessed this network resource over the last 30 days.

Can you prove you know about group membership changes right away?

Now the auditor asks for something that wasn’t even on the checklist we received two weeks ago: “Prove that you always know of any changes that occur to the membership of the Active Directory group that regulates access to the regulated data”. Ouch! We can surely track those changes down but unfortunately we haven’t set up email alerts yet. Luckily, the auditor says it’ll satisfy her if we do it right now. OK, let’s select “Group” as the object type and specify the group’s path as the value for the What filter. We can exclude failed activity from the search results, since the auditor is concerned with successful changes only. Now we simply create a new alert, which will be triggered any time the group membership changes. That way, we ensure that appropriate staff will know about changes as soon as they occur.

Are you able to monitor user account provisioning and deprovisioning?

The auditor is technically savvy enough to know that lingering user accounts of uncertain purpose create opportunities for imposters to break into our network. To verify our security polices, we need to show a list of all user accounts that have been created, deleted or modified in Active Directory over the previous 6 months. Let’s go for it. In the advanced mode of Interactive Search, we specify “Active Directory” as “Data source and “User” as Object type, and we provide the time range. The search results provide all the key details, including exactly what happened, who did it and when. To pass a hard copy of this information to the auditor, we save this list to a PDF file.

What’s going on with this one odd user account?

The auditor notices that one of the user accounts on the list we generated was removed shortly after it was created, and she wants to know more about that person. We check the HR employee list, but no employee with that name is currently on board. It’s time to investigate the issue. Let’s use the Interactive Search to see all actions that this user performed and also any actions directed at this account. In a simple mode, we just need to type the user name in the search field, limit the time range to the period between the dates of account creation and deletion, and press Enter. Fortunately, the Interactive Search proves that no high-level privileges were ever granted to this user by any means, which is a relief in front of the auditor. Of course, the question of why the account was created remains, and we’ll be able to use Interactive Search to investigate that after we’ve passed the audit.

Were all changes to Group Policy properly tracked in our ticketing system?

The auditor shows us a list of Group Policy change requests printed out from our corporate change management and ticketing system; apparently, she already had a chance to talk to some members of the IT team. So now we’re faced with the task of producing a list of all Group Policy changes that were actually made, so she can compare it with the list of requested changes. In advanced mode, let’s select Data source Equals Group Policy and specify the date range. We now see all changes and we can exclude the ones performed by the system, if necessary. Now we can demonstrate that all the changes made to Group Policy correspond to tickets on the auditor’s list, proving the efficacy of our change management system.

Thanks for
your response!

Any feedback for us?
  • What did you like the most?
  • Was there anything that you didn’t like or that was unclear?
  • Would you like us to add more examples? What specific use cases would be most valuable to you?
  • Is there anything you want to ask about the Interactive Search feature?