Windows User Behaviour Activity Analysis

This dashboard details the User Activity Analysis covering what systems users logging into and the frequency of logins. By understanding the usage pasterns it helps to determine how users are using systems either with normal operations or in appropriate activity. Are administrative logins being used in unusual ways and across multiple systems, is someone attempting to guess someones password which generates a lot of login failures. Many aspects of the analysis and monitoring can assist with determining system compromise or when a user is moving laterally across a network in the event of a system breach.. The dashboard comprises the of the following components. 

• Windows Login activity - this shows the high usage users generating system login events. By selecting the user on the bar graph you can drill down to the specific events that user is generating from system logins and see which systems those events are from. 
• Failed login activity by user - this chart shows which system accounts are generating failed logins. Failed logins can be caused by a miss configuration of a service account or where a password has changed and the service no longer can start. I can be caused from end users with keyboard errors during login. It can also be caused by malicious users or scanning software on the network attempting to login.  An account that has high login failures an over multiple systems can be an indicator of compromise with the attacker attempting further compromise on other systems or accounts. Failed login for administrative accounts would be of highest concern and should be investigated. 
• Windows User Interactive Login/Logoff - this chart shows the user accounts that are generating the highest login and logoff activity.  This KPI specifically monitors type 3 and type 10 logins. These logs relate to remote access to the system. Looking for unusual host to host based logins can be a symptom of lateral movement around the network from a hacker. by reviewing the same user logging or unusual accounts being used to login over many hosts if not expected could be the result of a hacker on the network. 
• Windows Failed Login Activity - The chart plots the user failed login activity over the day and over lays the high usage users with other user activity. User accounts can be filtered out by selecting the users from the legend on the right to adjust the chart to show a specific user list.
• Windows User of User Rights - When a user account requests specific user rights it will log an event. Windows has many user rights such as run as a service, add a workstation to the domain etc.  For a complete list review the Microsoft document https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment . If user accounts are being set with a specific user right and its not expected as part of a change control then it should be investigated as a possible source of a back door being setup on the system to allow the hacker to come back and get access to the system with some sort of privileged access. 
• Windows File and Resource Access - When file monitoring is enabled in the Snare agent or via GPO it will generate a series of file activity monitoring events. High usage activity of specific events can be a symptom of unauthorised activity ether copying data from one system to another, doing a mass delete or ransomware encrypting the files. Each of the windows event ids relate to specific activity being read, write, delete, move, used program XX to read.change the file etc.  The events help to detail WHO did WHAT and WHEN to file or directory of files.There can be many options to enable with doing file auditing so its good to also review the Microsoft document to help understand how the auditing process works. https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/ . The Snare for Windows agent can also be used to set file auditing on specific files and/or directories and do recursive monitoring on selected directories. Care should always be taken when doing recursive auditing that you only include the paths needed as excessive file auditing can slow down the system. 
• Login Activity by User - this chart shows the user login activity over the day showing which accounts are generating the most login activity and at which time of day. Users can be filtered by clicking on the legend on the right. 
• Windows User Account Changes - When a users account is changed it can be to provide them with new access or remove access if the user has changed roles or left the organisation. When these user changes occur they should be part of approved activity.  If changes are occurring and not part of any scheduled change activity then is could be part of some malicious activity. One of the things most hackers will attempt to do is give any accounts they have compromised administrative access so they can come back to login whenever they like to perform their nefarious activities. So determining what changes are occurring to which accounts and why will help with performing any user activity review. 
• Windows Process Activity by Event - Windows process monitoring will track what commands are run on the system. Each event type is related to specific activity such as process execution, process exit. By capturing and reporting on what commands are being run it can help track what hackers are doing on the network such as running tools like sysinternals, PowerShell, specific malware or other Trojans that was uploaded and run. The Snare Windows agent can track all process activity on the system or the customer can enable process monitoring via group policy. Please review the Microsoft link for more information https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation 
• Windows Login Failures Locked Accounts. - if a locked account starts to get login failures then it would usually be classed as suspicious activity. The windows administrators should know why the account was disabled in the first place ie user left the organisation, account no longer needed.  So when this account starts to generate login failures its likely to be from some unauthorised user not knowing it was disabled and they are trying to guess the password or obtain access if the old password was compromised.An account can also go into locked out status when to many password attempts have occurred and windows locks the account via policy. This can be a symptom of an account brute force or the user having keyboard problems with entering their password.  So any events for locked account should be investigated. 
• Windows events by System.- this chart shows a summary view of which systems are generating the events. When used in conjunction with the drill down filters applied to other charts above it can help show which systems are generating the events from the other charts performing the filter. 
• Windows Process Commands  - this chat can show a summary of the actual process commands run on the windows system.

v2 dashboards