Insider Threat Activity

To access the Insider Threat Activity dashboard select the following from the menu.

Insider Threat Activity screen covers many windows based threats covering activity from man windows event log types.  The page uses status blocks to show the number of events for the specific date/time filter as selected from the top right corner with trending value as a percentage showing the trend either increasing, decreasing or neutral. under each status block is a line graph showing the last 24 hours of activity with the rate per hour of those events. There are some pie charts lower down on the screen showing which systems are affected, which windows accounts and the source IP of the activity causing the events. All of the screens can be clicked on and then view the raw data in the drill through at the bottom of the screen where data can be searched on and additional filtering can be performed in one or more of the data fields. 

• Rubber Ducky Events - using correlation of USB and windows events collected from the Snare for Windows Enterprise agent Snare correlates the Human Interface Device (HID) events that helps to detect when such devices are inserted into a system.  The status block correlates these HID events with other USB events and process execution activity that allows the security team to detect and quickly drill down on where this activity occurred from. 
• Windows USB Events - This status block covers all USB events collected from the Snare Windows Enterprise agent. These events include the device type and serial number where the vendor supplies it. All inserts and removals are collected and can be tracked. 
• Windows Failed Logins - This status block shows all Windows failed login attempts for the systems collected. High rates of failed logins could present as a risk of system attempted compromise, especially when the same account is used over multiple systems. 
• Windows Login Activity - This status block shows all Successful Windows logins
• Windows Account Changes - This status block covers all Windows Account changes. 
• Windows Group Changes - This status block covers all Windows Group Member Changes for any accounts added to removed from specific groups.
• Windows Audit Logs Cleared - These show the number of events of actions taken to clear the windows event logs, these could be for any of the Security, Application, or System event logs. 
• Windows Audit Policy Changes - These show the events related to to system or group policy audit policy changes.  
• Local Accounts Added to Administrators - All events associated with adding users to the local administrators user group will be alerted on. As part of any privilege escalation on a system a user would be added to the local administrators group to gain a food hold on systems.
• Windows Privilege Escalation - These events relate to users that have gained higher level of access via additional user rights
• Windows Application Crash - These events relate to applications that are crashing which can be a symptom of malicious activity from buffer overruns or other memory manipulation to either gain access or cause a denial of service. 
• Windows Protection Disabled - When services are stopped or disabled it could be a result of a user stopping the service or the service crashing for some reason.  This activity should be investigated as part of the incident management processes. 
• Windows Events By System - This pie chart will show all systems affected by the date/time range search and any filtering as applied by the above status blocks and graphs. 
• Windows Accounts Affected - This pie chart shows all of the user accounts affected by the date/time range search and any filtering as applied by the above status blocks and graphs. 
• Windows Source IP Activity - This pie chart shows all of the events based on the source IP of the user that caused the event as generated and filtered by the date/time range search and any filtering as applied by the above status blocks and graphs. 

v2 Dashboards