Windows Insider Threat Activity
Insider Threat Activity screen covers many windows based threats covering activity from core windows event log types. The page uses various charts to show the number of events for today. The graphs show the last 24 hours of activity with the rate per hour of those events. There are some pie charts lower down on the screen showing which systems are affected, which windows accounts and the source users or systems of the activity causing the events. All of the screens can be clicked on and then view the raw data in the drill through at the bottom of the screen where data can be searched on and additional filtering can be performed in one or more of the data fields. Some parts of the dashboard only show data for the last 4 hours as some Windows systems can generate massive events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.
Windows USB Events - This status block covers all USB events collected from the Snare Windows Enterprise agent. These events include the device type and serial number where the vendor supplies it. All inserts and removals are collected and can be tracked.Â
Windows Failed Logins - This status block shows all Windows failed login attempts for the systems collected. High rates of failed logins could present as a risk of system attempted compromise, especially when the same account is used over multiple systems.Â
Windows Login Activity - This status block shows all Successful Windows logins
Windows Account Changes - This status block covers all Windows Account changes.Â
Windows Audit Logs Cleared - These show the number of events of actions taken to clear the windows event logs, these could be for any of the Security, Application, or System event logs.Â
Windows Audit Policy Changes - These show the events related to to system or group policy audit policy changes. Â
Local Accounts Added/removed to Administrators - All events associated with adding users to the local administrators user group will be alerted on. As part of any privilege escalation on a system a user would be added to the local administrators group to gain a food hold on systems.
Windows Privilege Escalation - These events relate to users that have gained higher level of access via additional user rights
Windows Application Crash - These events relate to applications that are crashing which can be a symptom of malicious activity from buffer overruns or other memory manipulation to either gain access or cause a denial of service.Â
Windows Sysmon events trend - This shows the system event ids and can allow drill through to the specific event id which will show in the text details section at the bottom.
Windows Events By System - This pie chart will show all systems affected by the date/time range search and any filtering as applied by the above status blocks and graphs.Â
Rubber Ducky Events - using correlation of USB and windows events collected from the Snare for Windows Enterprise agent Snare correlates the Human Interface Device (HID) events that helps to detect when such devices are inserted into a system. The status block correlates these HID events with other USB events and process execution activity that allows the security team to detect and quickly drill down on where this activity occurred from.Â
Windows Kerberos Events - graph showing the event rate for Kerberos events.
Windows Kerberos events by system - Kerberos events per system, allow drill down on Kerberos events to review activities being performed. There are potential threats for Kerberos activity where Kerbo roasting attacks can occur where the ticket is replayed to gain access to systems or resources. So unusual activity or spikes in usage may require investigation to determine if it was authorized activity or not.
Â