Re: Securty Audit Correlating

From: SecurIT Informatique Inc. (securit_at_iquebec.com)
Date: 12/17/04

  • Next message: Paul Heath: "RE: iisadmpwd/UPN" 
    Date: Thu, 16 Dec 2004 18:47:29 -0500
To: Jose Costa <joselpcosta@yahoo.com.br>

    Hello Jose,

    I am not sure if this will fit all your bill, but you may want to look at
    my log centralising and analysis software LogAgent
    (http://securit.iquebec.com). It will analyse in real time your event
    viewer logs, so you can set filters for specific object access, accounts
    usage or event type, and it will convert your event viewer logs in ascii at
    the same time.

    As for the correlating, it is probably possible to use one of the consoles
    I designed (LogIDS or LogMonitor) by converting your tickets in ascii. Or
    maybe that the extractor side-tool I wrote with these consoles is better
    suited for your needs. If you think that these things could help you, but
    the correlating does not exactly satisfy you, let me know and I can
    probably write you something customized to your needs, that is if you
    cannot find anything else around.

    Feel free to contact me if you have any questions regarding these tools.

    Adam Richard
    SecurIT Informatique Inc.

    At 02:54 PM 16/12/2004, Jose Costa wrote:
    >Hi all,
    >
    >Currently we are outsourcing our account creation,
    >password unlock/modify, folder creation/access control
    >and Internet/Applications Access Control to a third
    >company and we need some audit and reports. We use AD
    >running on W2K Server.
    >
    >Basically what we want to do is to activate GPO
    >Account Management and Object Access and create some
    >users with Admin/Account Operators rights and log
    >their object access on File Servers top folders and
    >account management tasks.
    >
    >After that,we need to do some correlating with Help
    >Desk Tickets, based on time. We will audit that with
    >samples, not all logs or tickets.
    >
    >The target is to discover if these accounts were used
    >without a help desk ticket, or they were used more
    >than they should be, based on the ticket.
    >
    >My idea is to export both (event viewer and help desk
    >tickets) to a .txt, .cvs, etc file and compare them.
    >After that generate a report. I'd like to make some
    >automation for that...
    >
    >Is there any best practices, samples, papers for that.
    >
    >Any input or experience regarding it will be
    >appreciated.
    >
    >Best Regards,
    >
    >Jose Luiz
    >
    >
    >
    >
    >
    >_______________________________________________________
    >Yahoo! Mail - Agora com 250MB de espaço gratuito. Abra
    >uma conta agora! http://br.info.mail.yahoo.com/
    >
    >---------------------------------------------------------------------------
    >---------------------------------------------------------------------------
    >
    >_____________________________________________________________________
    >
    >Envie de discuter gratuitement avec vos amis ?
    >Téléchargez Yahoo! Messenger http://yahoo.ifrance.com

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Paul Heath: "RE: iisadmpwd/UPN"

    Relevant Pages

    • RE: Securty Audit Correlating
      ... exporting both(events and tickets) to a SQL/Access DB ... > viewer logs, so you can set filters for specific ... >>Currently we are outsourcing our account creation, ... >>After that generate a report. ...
      (Focus-Microsoft)
    • Re: Monitoring domain user activity
      ... In that time, they don't have to authenticate anymore, they simply have to ask for new service tickets from the DCs to access new resources, each one of those tickets they request and get, are by default, valid for 10 hours. ... This means that once a user logs on and gets their TGT and service tickets there are 10 hours where you don't have a clue centrallywhat is going on. ... They are free range and about the only thing you can do away from the client is check every server for live netbios connections from the user through something that enumerates sessions but that doesn't catch tcp/ip based apps like SQL or LDAP or any number of applications. ... The program has to be good enough and fast enough to catch that and forward it to the remote store. ...
      (microsoft.public.windows.server.active_directory)
    • RE: Trace of 139 attack?
      ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ...
      (Focus-Microsoft)
    • Re: FW: Trace of 139 attack?
      ... /complex—Forces passwords to have a mixture of upper ... > the admin account on local logins (physical security ... >> deleting the logs he cannot do it. ... >> ur Server ur logs will ...
      (Focus-Microsoft)
    • Re: Terminal Services Kiosk
      ... the locked-down account is the Active Directory account in ... the desktops, not the local accounts in the TS server. ... programs or kill the RD session? ... So one user logs in to the workstation ...
      (microsoft.public.windows.terminal_services)