ManageEngine accelerates Active Directory Incident Investigation, Management
ManageEngine, the real-time IT management company, announced the latest version of ADAudit Plus, its web-based Active Directory (AD) auditing software. The new version includes a search utility that offers a consolidated audit trail, which enables AD administrators to analyse security incidents contextually. The software packs another new feature that provides a bird’s eye view of all the Active Directory changes that occurred in a specified time period.
While investigating Active Directory security incidents, administrators must elicit a complete audit trail of what the involved attacker may have done or accessed. Conventional tools, such as Event Viewer and PowerShell, can extract audit data but never offer the complete visibility or context required for such investigations — especially if they involve an insider who’s an AD expert, wherein detection can be complicated. Such situations require that the investigators glean every piece of information that could have had even a remote relevance to the investigation. They then must view that information contextually to establish a relationship, which helps in getting to the bottom of an incident.
“From our interactions with our customers, we realised that in addition to quickly tracing the footsteps of a compromised account, administrators investigating AD security alerts or incidents require a little background of what had been done with that account. This lends a perspective that can uncover the roots of an attack or reveal further layers of a multi-pronged attack,” said Balasubramanian Palani, product manager, ManageEngine.
“The new search utility of ADAudit Plus can pull in diverse but relevant pieces of forensic information that an investigator would require, and it distills and consolidates that data into a crisp yet context-rich summary, which makes spotting the adversary quicker and easier.”
Detect threats using the new ADAudit plus search utility
Using the new search utility, administrators can extract a consolidation of three different audit summaries, as listed below, for any user account (including an administrator) for a chosen period.
- Actions by the account: This is a summary of all configuration changes that the specified account carried out on other AD objects.
- Logon history of the account: Every computer that the account accessed — interactively or remotely — is listed in this summary, along with details such as logon hours and IP addresses.
- Object history: This provides background on the specified account, summarising what changes have been made to its properties and by whom. For example, it would show who changed the account’s permissions or passwords.
Every detail presented in the summary is a link, which, when clicked, displays an elaborate report for closer inspection. Similarly, the search also produces a consolidated audit summary for any given group or computer object, all of which would satisfy a compliance auditor if an account is selected for an audit.
From an incident investigation and management standpoint, an administrator can instantly learn what changes an attacker carried out in AD and which computers were compromised. This instant insight enables the admin to quickly restore secure AD configurations and isolate the compromised computers, thereby mitigating any effects of the attack.
Additionally, this search strings together all the clues, which, when analysed together, offer a context that either exposes an attacker instantly or highlights the indicators of a compromise that lead to the attacker. This capability enables AD administrators to detect threats — especially insider attacks — which could be missed when security events are analysed as isolated instances.
Get a bird’s eye view of active directory changes with aggregated summary
The aggregated summary feature graphically summarises all changes made to various AD elements (users, computers, groups, OU, DNS and GPO) for a time period specified by the admin. Capable of pinpointing who made those changes, this feature offers interesting statistics on past AD operations, which can be utilised to streamline AD management. Additionally, the feature offers users the flexibility to drill down from the summary view to a specific event that catches their attention.