There are actually four (4) ProTips in this blog (Click below to go to one you want):
The capability has long existed in StealthINTERCEPT to have a single policy with multiple event registrations. There are particular situations when you need to audit certain activity but desire to filter on a couple of very specific conditions, however you don’t want to filter all other activity. Let me share a use case:
Because new StealthINTERCEPT version 7.1 introduces some improved filtering, it seemed appropriate to use an LDAP example: You have identified LDAP activity you desire to audit however you have a single account that generates an excessively high volume of traffic from a single system/host that is expected but would be considered noise.
Problem
If you filter the system, you don’t see activity from other accounts on that system.
BUT…
If you filter that account, you don’t see other activity for that account on other systems.
Policy 1
Policy 2
End result is you get all activity for desired users and only activity from the noisy accounts on hosts other than that host it generates excessive activity from.
This latest release, StealthINTERCEPT version 7.1, has extended many more capabilities from the StealthINTERCEPT console to PowerShell. You can now manage/import policies and collections, check agent status, and more from PowerShell. The StealthINTERCEPT Administrative guide provides detailed documentation for the PowerShell cmdlets. For more detailed information please reference the product help Appendix: PowerShell API integration. To enable the PowerShell Modules type:
Import-module "C:\Program Files\STEALTHbits\StealthINTERCEPT\SIEnterpriseManager\SI.SIMonitor.PowerShell.dll"
To see a list of available SI PowerShell cmdlets type:
Get-Command -Module SI.SIMonitor.Powershell
The Appendix also documents all files required to perform remote management.
Often we build investigations in StealthDEFEND to look for general activity. However from time to time you need a similar investigation but focused on a single user or group of users. While you could build a new one from scratch that is wasted time. You could also modify your existing investigation but then you need to remember to change it back later. It is more useful to edit an existing investigation, make your edits, and then click ‘save as’.
Now you have the best of both worlds. Investigations at both general and specific levels with ease.
Response playbooks are extremely valuable but when manually kicking off a response it can get cluttered. One way to make things more streamlined is to categorize your threat responses to the one or more threats they correspond to. All threat responses are not applicable to all threats. The result is faster threat responses and easier time determining which responses align with which threats.
Rod Simmons is VP of Product Strategy at STEALTHbits Technologies responsible for the vision and strategy of their Active Directory Management and Security solutions. Rod has been in the technology space for over 20 years.
Prior to joining STEALTHbits, he served as Director of Product Management at BeyondTrust responsible for the Privileged Access Management products. He has also held positions leading Solution Architects and Product Managers at Quest Software and Netpro Computing Inc.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Great post here Rod, thanks!