There are actually four (4) ProTips in this blog (Click below to go to one you want):
- Multiple Policy Registration in StealthINTERCEPT
- Managing StealthINTERCEPT via PowerShell
- Editing StealthDEFEND Investigations the Lazy Way
- Categorize StealthDEFEND Playbooks to Reduce Clutter
Multiple Policy Registration in StealthINTERCEPT
The capability has long existed in StealthINTERCEPT to have a single policy with multiple event registrations. There are particular situations when you need to audit certain activity but desire to filter on a couple of very specific conditions, however you don’t want to filter all other activity. Let me share a use case:
Because new StealthINTERCEPT version 7.1 introduces some improved filtering, it seemed appropriate to use an LDAP example: You have identified LDAP activity you desire to audit however you have a single account that generates an excessively high volume of traffic from a single system/host that is expected but would be considered noise.
Problem
If you filter the system, you don’t see activity from other accounts on that system.
BUT…
If you filter that account, you don’t see other activity for that account on other systems.
Policy 1
Policy 2
Exclude all activity from the host where this account generates the most noise
End result is you get all activity for desired users and only activity from the noisy accounts on hosts other than that host it generates excessive activity from.
Managing StealthINTERCEPT via PowerShell
This latest release, StealthINTERCEPT version 7.1, has extended many more capabilities from the StealthINTERCEPT console to PowerShell. You can now manage/import policies and collections, check agent status, and more from PowerShell. The StealthINTERCEPT Administrative guide provides detailed documentation for the PowerShell cmdlets. For more detailed information please reference the product help Appendix: PowerShell API integration. To enable the PowerShell Modules type:
Import-module "C:\Program Files\STEALTHbits\StealthINTERCEPT\SIEnterpriseManager\SI.SIMonitor.PowerShell.dll"
To see a list of available SI PowerShell cmdlets type:
Get-Command -Module SI.SIMonitor.Powershell
The Appendix also documents all files required to perform remote management.
Editing StealthDEFEND Investigations the Lazy Way
Often we build investigations in StealthDEFEND to look for general activity. However from time to time you need a similar investigation but focused on a single user or group of users. While you could build a new one from scratch that is wasted time. You could also modify your existing investigation but then you need to remember to change it back later. It is more useful to edit an existing investigation, make your edits, and then click ‘save as’.
Now you have the best of both worlds. Investigations at both general and specific levels with ease.
Categorize StealthDEFEND Playbooks to Reduce Clutter
Response playbooks are extremely valuable but when manually kicking off a response it can get cluttered. One way to make things more streamlined is to categorize your threat responses to the one or more threats they correspond to. All threat responses are not applicable to all threats. The result is faster threat responses and easier time determining which responses align with which threats.
Rod Simmons is VP of Product Strategy at STEALTHbits Technologies responsible for the vision and strategy of their Active Directory Management and Security solutions. Rod has been in the technology space for over 20 years.
Prior to joining STEALTHbits, he served as Director of Product Management at BeyondTrust responsible for the Privileged Access Management products. He has also held positions leading Solution Architects and Product Managers at Quest Software and Netpro Computing Inc.
Related Posts
- PROTIP – How to Purge Data in StealthAUDIT
- PROTIP – Fulfill a DSAR with StealthAUDIT 11.0
- Best Practices – Setting up StealthAUDIT SQL Server Database
- ProTip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for Oracle
- Pro Tip – StealthINTERCEPT DB Maintenance Best Practices
- PROTIP: How to Update the “Have I Been Pwned” (HIBP) Breach Dictionary in StealthINTERCEPT Enterprise Password Enforcer and StealthAUDIT
- Protip: How to Setup User Activity & Database Logon Scans in StealthAUDIT for Oracle
- ProTip – The Power of Character Substitution Checks in StealthINTERCEPT Enterprise Password Enforcer
- Protip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for SQL
- ProTip: Exciting New StealthDEFEND Functionality Available with the Release of Version 2.2 on November 5, 2019
Great post here Rod, thanks!