RE: Securty Audit Correlating

From: Jose Costa (joselpcosta_at_yahoo.com.br)
Date: 12/20/04

  • Next message: Danny: "port 411 remote MT protocol?" 
    Date: Mon, 20 Dec 2004 09:07:08 -0300 (ART)
To: John Bankes <jbankes@netforensics.com>, "'SecurIT Informatique Inc.'" <securit@iquebec.com>

    Thanks for the information but I need to do it offline
    because I just need to do it every 3 months to create
    a report to our CSO.

    I'll start working on it this week. I'll test
    exporting both(events and tickets) to a SQL/Access DB
    and figure out how to correlate them.

    Any sample or idea will be appreciated.

    Tks,

    JL

     --- John Bankes <jbankes@netforensics.com> escreveu:
    > We also provide most of what you are looking for.
    > Check out
    > www.netforensics.com for more information. Sorry
    > for the commercial, but it
    > might be what you're looking for. JB
    >
    > -----Original Message-----
    > From: SecurIT Informatique Inc.
    > [mailto:securit@iquebec.com]
    > Sent: Thursday, December 16, 2004 6:47 PM
    > To: Jose Costa
    > Cc: focus-ms@securityfocus.com
    > Subject: Re: Securty Audit Correlating
    >
    > Hello Jose,
    >
    > I am not sure if this will fit all your bill, but
    > you may want to look at my
    > log centralising and analysis software LogAgent
    > (http://securit.iquebec.com). It will analyse in
    > real time your event
    > viewer logs, so you can set filters for specific
    > object access, accounts
    > usage or event type, and it will convert your event
    > viewer logs in ascii at
    > the same time.
    >
    > As for the correlating, it is probably possible to
    > use one of the consoles I
    > designed (LogIDS or LogMonitor) by converting your
    > tickets in ascii. Or
    > maybe that the extractor side-tool I wrote with
    > these consoles is better
    > suited for your needs. If you think that these
    > things could help you, but
    > the correlating does not exactly satisfy you, let me
    > know and I can probably
    > write you something customized to your needs, that
    > is if you cannot find
    > anything else around.
    >
    > Feel free to contact me if you have any questions
    > regarding these tools.
    >
    > Adam Richard
    > SecurIT Informatique Inc.
    >
    > At 02:54 PM 16/12/2004, Jose Costa wrote:
    > >Hi all,
    > >
    > >Currently we are outsourcing our account creation,
    > password
    > >unlock/modify, folder creation/access control and
    > Internet/Applications
    > >Access Control to a third company and we need some
    > audit and reports.
    > >We use AD running on W2K Server.
    > >
    > >Basically what we want to do is to activate GPO
    > Account Management and
    > >Object Access and create some users with
    > Admin/Account Operators rights
    > >and log their object access on File Servers top
    > folders and account
    > >management tasks.
    > >
    > >After that,we need to do some correlating with Help
    > Desk Tickets, based
    > >on time. We will audit that with samples, not all
    > logs or tickets.
    > >
    > >The target is to discover if these accounts were
    > used without a help
    > >desk ticket, or they were used more than they
    > should be, based on the
    > >ticket.
    > >
    > >My idea is to export both (event viewer and help
    > desk
    > >tickets) to a .txt, .cvs, etc file and compare
    > them.
    > >After that generate a report. I'd like to make some
    > automation for
    > >that...
    > >
    > >Is there any best practices, samples, papers for
    > that.
    > >
    > >Any input or experience regarding it will be
    > appreciated.
    > >
    > >Best Regards,
    > >
    > >Jose Luiz
    > >
    > >
    > >
    > >
    > >
    >
    >_______________________________________________________
    > >Yahoo! Mail - Agora com 250MB de espaço gratuito.
    > Abra uma conta agora!
    > >http://br.info.mail.yahoo.com/
    > >
    >
    >-----------------------------------------------------------------------
    > >----
    >
    >-----------------------------------------------------------------------
    > >----
    > >
    >
    >_____________________________________________________________________
    > >
    > >Envie de discuter gratuitement avec vos amis ?
    > >Téléchargez Yahoo! Messenger
    > http://yahoo.ifrance.com
    >
    >

            
            
                    
    _______________________________________________________
    Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Danny: "port 411 remote MT protocol?"

    Relevant Pages

    • Re: Securty Audit Correlating
      ... and it will convert your event viewer logs in ascii at ... I designed by converting your tickets in ascii. ... >Account Management and Object Access and create some ... >My idea is to export both (event viewer and help desk ...
      (Focus-Microsoft)
    • Re: Subreport Problem
      ... report is sorting the account numbers. ... more if you think it's possible a customer could have more than 24 accounts. ...  I have a subreport in the detail section of the "receipt" ...
      (microsoft.public.access.reports)
    • Re: Multiple Column Report - esp for Duane Hookom
      ... annual total for that account - it's already in essense a "sum". ... Income Statement - and for my users it needs to. ... ACC2000: How to Print Labels on the Left Margin of a Report: This is the ... The State Controller (SCO) produces Annual Financial Reports for all Special ...
      (microsoft.public.access.reports)
    • Re: Monitoring domain user activity
      ... In that time, they don't have to authenticate anymore, they simply have to ask for new service tickets from the DCs to access new resources, each one of those tickets they request and get, are by default, valid for 10 hours. ... This means that once a user logs on and gets their TGT and service tickets there are 10 hours where you don't have a clue centrallywhat is going on. ... They are free range and about the only thing you can do away from the client is check every server for live netbios connections from the user through something that enumerates sessions but that doesn't catch tcp/ip based apps like SQL or LDAP or any number of applications. ... The program has to be good enough and fast enough to catch that and forward it to the remote store. ...
      (microsoft.public.windows.server.active_directory)
    • RE: Trace of 139 attack?
      ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ...
      (Focus-Microsoft)