Versions Compared

Version Old Version 8 New Version Current
Changes made by

Steve Challans

Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Rubber Ducky Events - using correlation of USB and windows events collected from the Snare for Windows Enterprise agent Snare correlates the Human Interface Device (HID) events that helps to detect when such devices are inserted into a system.  The status block correlates these HID events with other USB events and process execution activity that allows the security team to detect and quickly drill down on where this activity occurred from. 
  • Windows USB Events - This status block covers all USB events collected from the Snare Windows Enterprise agent. These events include the device type and serial number where the vendor supplies it. All inserts and removals are collected and can be tracked. 
  • Windows Failed Logins - This status block shows all Windows failed login attempts for the systems collected. High rates of failed logins could present as a risk of system attempted compromise, especially when the same account is used over multiple systems. 
  • Windows Login Activity - This status block shows all Successful Windows logins
  • Windows Account Changes - This status block covers all Windows Account changes. 
  • Windows Group Changes - This status block covers all Windows Group Member Changes for any accounts added to removed from specific groups.
  • Windows Audit Logs Cleared - These show the number of events of actions taken to clear the windows event logs, these could be for any of the Security, Application, or System event logs. 
  • Windows Audit Policy Changes - These show the events related to to system or group policy audit policy changes.  
  • Local Accounts Added to Administrators - All events associated with adding users to the local administrators user group will be alerted on. As part of any privilege escalation on a system a user would be added to the local administrators group to gain a food hold on systems.
  • Windows Privilege Escalation - These events relate to users that have gained higher level of access via additional user rights
  • Windows Application Crash - These events relate to applications that are crashing which can be a symptom of malicious activity from buffer overruns or other memory manipulation to either gain access or cause a denial of service. 
  • Windows Protection Disabled - When services are stopped or disabled it could be a result of a user stopping the service or the service crashing for some reason.  This activity should be investigated as part of the incident management processes. 
  • Windows Events By System - This pie chart will show all systems affected by the date/time range search and any filtering as applied by the above status blocks and graphs. 
  • Windows Accounts Affected - This pie chart shows all of the user accounts affected by the date/time range search and any filtering as applied by the above status blocks and graphs. 
  • Windows Source IP Activity - This pie chart shows all of the events based on the source IP of the user that caused the event as generated and filtered by the date/time range search and any filtering as applied by the above status blocks and graphs. 


v2 Dashboards

Image AddedImage Added