Stealthintercept Admin Console Overview 14

2021 StealthINTERCEPT® Admin Console User Guide StealthINTERCEPT®

TOC

StealthINTERCEPT Admin Console Overview 14

Understanding StealthINTERCEPT Components 14

Policies 17 Policy Templates 18

StealthINTERCEPT Agent Information 19

Solution Overview 24

StealthINTERCEPT for Active Directory 25 StealthINTERCEPT for Enterprise Password Enforcement 26 StealthINTERCEPT for Exchange 27 StealthINTERCEPT for File System 28 StealthINTERCEPT for LDAP 29

Getting Started with StealthINTERCEPT 29

Navigation & Configuration of the SI Admin Console 33

Menu Windows 39

Collection Manager Window 40 Preconfigured Collections 41 List of Collections Window 44 Dynamic Collections 52 Database Maintenance Window 58 Archive Data 62 Configure Database Maintenance 63 Enable Database Maintenance 67 Schedule Database Maintenance 68 Database Partitioning Window 69 EPE Settings Window 74 Event Database Configuration Window 86 Event Filtering Configuration Window 87 Export Policies and Templates Window 94 Doc_ID 371 2

File Monitor Settings Windows 96 Select Accounts to Exclude from Collections 97 Select Local Processes for Exclusion 98 Import Window 99 Password Safe Configuration Window 101 Profiles Tab 101 Scripts Tab 103 SI System Alerting Window 104 Email Tab 106 Configure SMTP Host Information 108 Create Message Profiles 109 Event Log Tab 114 SIEM Tab 115 Configure SIEM Server 116 Adding a Custom SIEM Mapping File 119 StealthDEFEND Configuration Windows 121 Event Sink Tab 122 Honey Token Tab 123 Forged PAC Tab 125 Users and Roles Window 126 Add SI Users 129 Modify SI User Assigned Rights 131 Users and Roles Window 133

Policy Center 137

Agents Interface 154

Deploy Agents Window 159 Enter Credentials Window 160 Select Computers Window 161 Set Options Window 164 Credential Verification Window 167

Doc_ID 371 3

Status Window 167 Agents Interface Right-Click Menu 168 SI Agent Right-Click Menu Configurations 170 Install SI Agents 171 Uninstall SI Agent 173 Upgrade Agent 173 Update Agent Settings 175 Start Agent 175 Stop Agent 176 Start Pending Modules 177 Harden Agent 177 Soften Agent 178 Remove Server from List 179 Clear SQLite Agent Queue 179 Log Level Configuration Window 180 Access SI Agent Log Files 182 Access the Enterprise Manager & Administration Console Log Files 183 SI Agent Safe Mode 185 How To Enable Agent Started in AD Monitor Pending Mode Email Alert 186 Agent Installer Update Window 187 Configure Auto Deploy Window 188

Alerts Interface 190

Policy Comparison Window 195

Analytics Interface 196

Investigate Interface 198

Filtered Investigate Views 206 EPE & LDAP Summary Folders 207

Policies Interface 210

Policies Node Right-Click Menu 212 Protect Policies 213

Doc_ID 371 4

Protect Objects 215

Templates Interface 218

Template Node Right-Click Menu 220 TAGS Node 220

Policy & Template Configuration 222

Actions Tab 223 File Actions 226 .NET Script Actions 229 StealthINTERCEPT Script Editor Tools 232 PowerShell 4.0 Actions 233 Event Type Tab 236 StealthINTERCEPT for Active Directory Solution Event Types 239 Active Directory Changes Event Type 240 Active Directory Lockdown Event Type 241 Active Directory Read Monitoring Event Type 241 AD Replication Lockdown Event Type 242 AD Replication Monitoring Event Type 243 Authentication Event Type 244 Authentication Lockdown Event Type 245 Effective Group Membership Event Type 245 GPO Setting Changes Event Type 246 GPO Setting Lockdown Event Type 246 LSASS Guardian – Monitor Event Type 246 LSASS Guardian – Protect Event Type 247 StealthINTERCEPT for Enterprise Password Enforcement Solution Event Type 247 Password Enforcement Event Type 247 StealthINTERCEPT for Exchange Solution Event Types 249 Exchange Changes Event Type 249

Doc_ID 371 5

Exchange Lockdown Event Type 250 StealthINTERCEPT for File System Solution Event Types 250 File System Changes Event Type 251 Monitor NAS Devices 252 File System Lockdown Event Type 253 File System StealthAUDIT Event Type 254 FSMO Role Monitoring 254 StealthINTERCEPT for LDAP Solution Event Type 255 LDAP Lockdown Event Type 255 LDAP Monitoring Event Type 256 Configure LDAP Monitoring for StealthDEFEND 256 General Tab 257 Recent Events Tab 262 Event Viewer Window 267 Event Tracker Window 269 Execute PS Script 269 Reports Tab 270 Link Reports to Policy/Template 271

Event Filters Overview 274

Selecting an SI Agent for a Browser Window 274

Browser Window Modes 275

Event Filter Tabs 277

Selection Windows 277 Add IP Address Window 277 Attribute List Window 277 Class List Window 278 Select Active Directory Context Window 279 Select Active Directory Group Policy Objects Window 280 Select Active Directory Objects Window 281 Select Active Directory Perpetrators Window 282

Doc_ID 371 6

Select Active Directory Trustees Window 283 Select AD Groups Windows 284 Select Computer Window 285 Select Domains and Servers Window 286 Select Exchange Objects from Active Directory Window 287 Select File System Objects Window 288 Test Passwords Window 289 User Account Control Window 291 AD Account Filter 291 AD Attributes Filter 292 AD Classes and Attributes Filter 294 AD Classes Filter 294 AD Context Filter 295 AD Event Filter 296 AD Group Policy Object Changes Filter 297 AD Group Policy Object Filter 298 AD Groups Filter 298 AD Objects and Containers Filter 299 AD Objects Filter 301 AD Perpetrator Filter for Lockdown 301 AD Perpetrator Filter for Monitoring 302 Additional Agents Filter 303 Advanced Filter 304 Authentication Protocol Filter 306 Authentication Policy Differences Between v7.0 and per-v7.0 307 Domains/Servers Filter 308 Exchange Event Filter for Lockdown 309 Exchange Event Filter for Monitoring 310 Exchange Mailbox Objects and Containers Filter 311 Exchange Perpetrators Filter 312 Exchange Trustees Filter 313

Doc_ID 371 7

File System Agents Filter 314 File System Filter for Lockdown 315 File System Filter for Monitoring 316 File System Paths Filter 318 File System StealthAUDIT Filter 319 FSMO Roles Filter 320 Hosts (from) Filter for Lockdown 321 Hosts (from) Filter for Monitoring 322 Hosts (to) Filter for Lockdown 322 Hosts (to) Filter for Monitoring 323 IP Addresses (from) Filter 324 IP Addresses (to) Filter 324 LDAP Query Filter for Lockdown 325 LDAP Query Filter for Monitoring 326 LDAP Attributes Filter 327 LDAP Result Filter 327 LDAP Runtime Filter 328 LDAP Filter 329 Open Process Flags Filter 330 Password Rules Filter 330 Permissions Filter 336 Perpetrators to Exclude Filter 337 Processes and Configuration Filter 337 Processes Filter for Lockdown 338 Processes Filter for Monitoring 339 Rule Preview Filter 339 Success Filter 340 User Account Control Filter 341

Policy Templates 342

Import SI Pre-Created Policy Templates 342

Doc_ID 371 8

Template Folder Structure for Pre-Created Policy Templates 343

Using Templates to Create Policies 395

Report Templates 397

StealthINTERCEPT Analytics Guide 415

Analytics 425

Bad User ID (by Source Host) Analytic Type 425 Configure Bad User ID (by Source Host) Analytic Policy 426 Bad User ID (by Source Host) Analytic Data Grid 428 Bad User ID (by User) Analytic Type 430 Configure Bad User ID (by User) Analytic Policy 430 Bad User ID (by User) Analytic Data Grid 433 Breached Password Analytic Type 434 Configure Breached Password Analytic Policy 435 Breached Password Analytic Data Grid 437 Brute Force Attacks Analytic Type 439 Configure Brute Force Attacks Analytic Policy 440 Brute Force Attacks Analytic Data Grid 442 Concurrent Logins Analytic Type 444 Configure Concurrent Logins Analytic Policy 444 Concurrent Logins Analytic Data Grid 447 File System Attacks (by User) Analytic Type 449 Configure File System Attacks (by User) Analytic Policy 449 File System Attacks (by User) Analytic Data Grid 452 Forged PAC Analytic Type 455 Configure Forged PAC Analytic Policy 455 Forged PAC Analytic Data Grid 458 Golden Ticket Analytic Type 459 Configure Golden Tickets Analytic Policy 459 Golden Tickets Analytic Data Grid 462 Horizontal Movement Attacks Analytic Type 463

Doc_ID 371 9

Configure Horizontal Movement Attacks Analytic Policy 463 Horizontal Movement Attacks Analytic Data Grid 466 Impersonation Logins Analytic Type 468 Configure Impersonation Logins Analytic Policy 468 Impersonation Logins Analytic Data Grid 471 Kerberos Weak Encryption Analytic Type 473 Configure Kerberos Weak Encryption Analytic Policy 473 Kerberos Weak Encryption Analytic Data Grid 474 User Account Hacking Analytic Type 475 Configure User Account Hacking Analytic Policy 476 User Account Hacking Analytic Data Grid 479

LDAP Operations Center 482

Create & Configure an LDAP Policy 483

Troubleshooting within the SI Admin Console 489

LSASS Process Terminated 490

How To Enable LSASS Process Terminated Email Alert 491

SI Agent Not Communicating with the Enterprise Manager 492

Bind To 493

Exchange Lockdown Considerations 493

Delegations through Outlook 493

Best Practices for StealthINTERCEPT Users 496

Best Practice #1 – Collect What You Need, NOT Everything 496

Best Practice #2 – Database Maintenance? Use It! 496

Best Practice #3 – Analytics? Turn on One at a Time & Tune 496

Best Practice #4 – Monitor before Blocking 497

Best Practice #5 – File System ‘Read’ Monitoring, in Moderation 497

Doc_ID 371 10

More Information 498

StealthINTERCEPT Appendices 499

Appendix: Release Notes 499

StealthINTERCEPT v7.3 New & Improved Features 499 StealthINTERCEPT v7.2 New & Improved Features 500 StealthINTERCEPT v7.1 New & Improved Features 501 StealthINTERCEPT v7.0 New & Improved Features 503 StealthINTERCEPT v6.1 New & Improved Features 505 StealthINTERCEPT v6.0 New & Improved Features 506 StealthINTERCEPT v5.2 New & Improved Features 508 StealthINTERCEPT v5.1 New & Improved Features 509 StealthINTERCEPT v5.0 New & Improved Features 511 StealthINTERCEPT v4.1 New & Improved Features 514 StealthINTERCEPT v4.0 New & Improved Features 516 StealthINTERCEPT v3.4 Service Pack 2 New & Improved Features 518 StealthINTERCEPT v3.4 Service Pack 1 New & Improved Features 521 StealthINTERCEPT v3.4 New & Improved Features 522 StealthINTERCEPT v3.3 Service Pack 2 New & Improved Features 523 StealthINTERCEPT v3.3 Service Pack 1 New & Improved Features 524 StealthINTERCEPT v3.3 New & Improved Features 524 StealthINTERCEPT v3.1 New & Improved Features 525 StealthINTERCEPT v3.0 New & Improved Features 525 StealthINTERCEPT v2.6 New & Improved Features 528 StealthINTERCEPT v2.5 New & Improved Features 528

Appendix: QIDmap Information for QRadar SIEM Integration 528

Appendix: StealthINTERCEPT Stored Procedures 535

Appendix: PowerShell API Integration 539

Load the SI PowerShell Module 541 Enable or Disable a Policy 542 Delete a Policy 542

Doc_ID 371 11

Add or Modify Policies 542 Export Policy to an XML File 542 Import Policy from an XML File 543 Get Collections 544 Remove a Collection 544 Add or Modify Collections 544 Export Collections to an XML File 544 Import Collections from an XML File 545 Enterprise Password Enforcer (EPE) APIs 546 Password Validation Test Against EPE Rules 546 Import Character Substitutions 547 Export Character Substitutions 547 Import Character Substitution Words 547 Export Character Substitution Words 548 Import Passwords Dictionary 548 Export Passwords Dictionary 548 Set the Pwned Database 549 StealthDEFEND Event Sink Tab 549 Set StealthDEFEND Configuration 549 Get StealthDEFEND Configuration 550 LDAP Deception for StealthDEFEND 550 Get LDAP Deception 550 Set LDAP Deception 550 Not an SI Policy XML Expert 551 Remote PowerShell Connection 551

Appendix: Default Custom Scripts 552

Default Visual Basic Script 552 Default C# Script 557 Default PowerShell 4.0 Script 563

Appendix: Action Template Custom Scripts 566

Doc_ID 371 12

Account Enablement 566 Password Never Expires 570 Lock and/or Unlock Account 574 Password Changes 577 Password Rejection 581

Doc_ID 371 13

Copyright 2021 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED StealthINTERCEPT® StealthINTERCEPT Admin Console Overview StealthINTERCEPT provides inspection, alerting, and policy enforcement, closing back doors and providing administrators and auditors detailed records of every change, access, and authentication activity. It is the ultimate security enhancement for those seeking to both protect sensitive assets and eliminate downtime from careless error.

StealthINTERCEPT protects business critical systems and sensitive data from threats such as Malware and Ransomware. When a suspicious pattern of activity is identified an appropriate alert is issued along with immediate remediation; the compromised user account is blocked from further authentications as well as being blocked from accessing files. Protect > Detect > Alert > Remediate.

Organizations looking to tighten their security and compliance posture, automate administration, reduce helpdesk traffic, and proactively prevent unauthorized changes can finally obtain the functionality they have needed for years but could never previously achieve due to limitations in native Windows® logging and security controls.

StealthINTERCEPT seamlessly integrates with SIEM, sending rich and context laden data in real- time, removing the need for native logs. By sending SIEM reliable and insightful data, an organization will realize the true potential of the investment while securing its business critical systems and data.

With a FIPS 104-2 compliant architecture, StealthINTERCEPT has been built specifically for the modern security landscape.

Understanding StealthINTERCEPT Components StealthINTERCEPT (SI) monitors events in real-time, gathers and processes event data, then outputs that data in usable ways. StealthINTERCEPT components allow users to create and configure policies to control what is monitored, where and when. Users can also create and control responses to event data via reports, alert notifications, analytic triggers, as well as take actions with scripts.

SI is comprised of the following:

l Software Components

l Analytics

l Policies & Policy Templates

l Database Components

Doc_ID 371 14

Software Components

StealthINTERCEPT consists of a number of components which work together to monitor and report on activity on a network:

l StealthINTERCEPT Enterprise Manager

l StealthINTERCEPT Win Console (SI Admin Console)

l StealthINTERCEPT Web Reports (SI Reporting Console)

l StealthINTERCEPT Agents deployed across the environment

StealthINTERCEPT Architecture

StealthINTERCEPT Enterprise Manager

The StealthINTERCEPT Enterprise Manager stores and maintains policies and policy templates, as well as receives and processes all captured events. Only one Enterprise Manager is needed for any environment.

StealthINTERCEPT Administration Console

The StealthINTERCEPT Administration Console is used to configure StealthINTERCEPT by creating and managing policies and their associated alerts and actions. It can be installed on more than one computer and executed by multiple users on a computer, but only one instance of the SI Admin Console can be open per user at a time. A notification message will appear across open consoles when configuration changes are made by another user.

StealthINTERCEPT Reporting Console

Doc_ID 371 15

The StealthINTERCEPT Reporting Console provides a way to view and to generate reports for the event data that is collected by agents and stored in the event database. Reports can be generated manually and/or scheduled to generate as needed. See the StealthINTERCEPT Reporting Console User Guide for additional information.

StealthINTERCEPT Agents

The StealthINTERCEPT Agents retrieve configuration data from the Enterprise Manager, monitor network activity, and report events to the Enterprise Manager. The events collected by an agent are those specified by the policies which are currently active in the system. There must be an agent deployed on every server being monitored. See the StealthINTERCEPT Agent Information section for information on where to deploy SI Agents and supported platforms. See the Agents Interface section for deployment procedures.

Analytics

StealthINTERCEPT’s Analytics engine identifies patterns based upon observed activities that may indicate a security incident is in process or being attempted. For example, the frequency of an event over a particular time period or a combination of events with one or more correlating attribute could indicate a security risk incident is in process. See the StealthINTERCEPT Analytics Guide section for additional information.

Policies & Policy Templates

In order for StealthINTERCEPT to monitor activity on a network, it must be configured to monitor the desired activity. Most of this configuration is done with StealthINTERCEPT Policies.

At a high level, a policy is a definition describing the types of event data to monitor. As events occur, if all the described filters are met, the event data is captured and sent through to the reporting database. Policies can also be defined to block events where all filters are met, and information about the attempted change is sent to the reporting database.

A StealthINTERCEPT Policy is a specification, configured in the SI Admin Console, for events that provide evidence of a high-level policy violation. For example, if there is an

Doc_ID 371 16

organizational policy stating only members of the Administrators group can create user accounts, then an SI Policy can be configured to detect when a user account is created by someone other than a member of the Administrators group.

Policies A StealthINTERCEPT Policy has many attributes which define the activities and objects it monitors, where on a network that policy applies, and when it is active. These policy attributes are organized into the following major policy components:

General

General components include the name and description of the policy, policy creation and modification information, policy schedule, whether or not the policy is sending alerts, and whether or not the policy is enabled.

The schedule controls when the policy is active. For example, if it is desired that certain activity be more closely monitored outside of regular business hours, then a policy can be created and scheduled to be active only outside of regular business hours.

Event Type

Event Type components indicate what kind of events are to be monitored or blocked by the policy. A single policy can contain multiple event types, including from different event sources. For example, a policy might monitor the creation of user accounts in Active Directory.

Each event type has an optional set of filters associated with it. The available filters vary depending on the event source.

Actions

Actions components are used to process and respond to events once they have been captured. A policy can include one or more actions (or event consumers). It can also have no actions, but this is not recommended. Actions are policy specific and cannot be shared between policies. However, they can be exported with a policy.

An SI Policy can also be associated with specific report templates, for use in the SI Reporting Console. See the Policy & Template Configuration section for additional information.

Doc_ID 371 17

Policy Templates A policy template is an inactive policy specification that can be used to create active policies. Policy templates contain one or more event types that match a set of related events.

Some settings in a policy template are necessarily generic. For example, the filters associated with the event types of a template may need to be refined to refer to a particular local domain, container, or group.

There are usually no actions associated with a policy template because these are typically customized for a particular installation, e.g. the name of a text file, the connection information for a local SMTP server, etc.

See the Policy Templates section for additional information.

Database Components

StealthINTERCEPT needs to store event data and configuration information for several components. The following SQL Server® databases are used to store this information:

l NVMonitorConfig database

l NVMonitorData database

NVMonitorConfig Database

This database contains configuration information for the StealthINTERCEPT product. The StealthINTERCEPT Enterprise Manager maintains and shares this information with the SI Agents, primarily policy configuration information. It is created during the installation process of the StealthINTERCEPT Enterprise Manager. See the Installation Process of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

NVMonitorData Database

This database contains the event activity data captured by SI policies. SI Agents capture these events, as defined by policies, and send them to the StealthINTERCEPT Enterprise Manager. The manager receives, processes, and stores the data in the events database. The SI Reporting Console reads event data and uses it to build reports. It is created during the

Doc_ID 371 18

installation process of the StealthINTERCEPT Enterprise Manager. See the Installation Process of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

StealthINTERCEPT Agent Information StealthINTERCEPT Agents perform real-time monitoring of the events occurring across supported systems and applications. The available modules to be installed during the SI Agents deployment are associated with the StealthINTERCEPT solutions:

l StealthINTERCEPT for Active Directory

l Monitoring and blocking Active Directory and Group Policy Objects (GPO), monitors and blocks Authentication

l Deploy SI Agents on all Domain Controllers with the Windows AD Events module

l For GPO monitoring and blocking, the SI Agent on all Domain Controllers must also have the Windows File System module

l StealthINTERCEPT for Enterprise Password Enforcement

l Blocking creation of passwords which do not meet requirements

l Deploy SI Agents on all Domain Controllers with the Windows AD Events module

l StealthINTERCEPT for Exchange

l Monitoring and blocking Exchange environments

l Deploy SI Agents on all HUB, CAS, and Mailbox Exchange Servers with the Exchange Server Monitoring module

l Must also deploy SI Agents on one Active Directory Domain Controller with the Windows AD Events module

l StealthINTERCEPT for File System

l Monitoring Windows and NAS file systems

l Blocking Windows file systems

l (For Windows file systems) Deploy SI Agents on Windows file servers with the Windows File System module

Doc_ID 371 19

l (For NAS file systems) Deploy SI Agents on the Windows server acting as a proxy server for NAS activity (where the Stealthbits Activity Monitor activity agent is deployed) with the Windows File System module

l StealthINTERCEPT for LDAP

l Monitoring LDAP searches and reporting on LDAP query execution times and number of objects returned

l Deploy SI Agents on all Domain Controllers with the Windows AD Events module

In order to perform centralized SI Agent maintenance from the SI Console server, WMI must be enabled on the machine where the SI Agent is installed. When executing any of these right-click commands (with the exception of Remove Server from list), the SI Admin Console uses WMI to remotely query the registry on the target agent machine(s) to understand where the SI Agent configuration files are located (install path).

Next, WMI is used to stop the StealthINTERCEPT Agent service, modify the configuration files, and restart the SI Agent. The Credentials used to execute these commands must have enough rights to query information about shares on the target machine. A local administrator account on the targeted machine should have access to the system shares. See the Agents Interface Right- Click Menu section for additional information.

Remember to check StealthINTERCEPT Infrastructure Server Requirements before deploying an SI Agent, including the SI Agent Compatibility with Non-Stealthbits Security Products list. Domain Controllers

This SI Agent tracks all events occurring in Active Directory in real-time. The SI Agent must be installed on all domain controllers within the domains to be monitored.

Supported Platforms for Microsoft® Active Directory®

l Windows Server 2019

l Windows Server 2016

l Windows Server 2012 R2

l Windows Server 2012

Stealthbits Activity Monitor Integration

Both the Stealthbits Activity Monitor and StealthINTERCEPT (SI) can monitor the same Domain Controller. Deploy agents from both products to the server. The Activity Monitor identifies the Windows host as being “Managed by StealthINTERCEPT” on the Monitored

Doc_ID 371 20

Hosts tab when it detects an SI Agent on the server. That host configuration cannot be modified within the Activity Monitor Console. StealthINTERCEPT policies control the configuration for that monitored host. However, the Activity Monitor can be configured to provide multiple outputs for a host, e.g. for StealthAUDIT, StealthDEFEND, or SIEM products. Add a new output for the same host to the Monitored Host tab in the Activity Monitor Console to be used by the other product. See the Active Directory Configuration Guide for additional information.

Exchange Servers

This SI Agent tracks all Owner and Non-Owner information on Exchange Servers in real- time. The SI Agent must be installed on all Exchange Servers running the Information Store service within the domains to be monitored.

To gather Exchange event data that is stored in Active Directory, the SI Agent must also be installed on all domain controllers within the domains to be monitored.

If only gathering Exchange event data for mailbox permission changes and mailbox logins, then the SI Agent must also be installed on one domain controller, which can be read only.

Supported Platforms for Microsoft® Exchange®

l Exchange Server 2019 (Up through Cumulative Update 9, through .NET Framework 4.8)

l SI Agents v7.2.0.239+ (Up through Cumulative Update 9)

l SI Agents v7.1.0.410+ (Up through Cumulative Update 9)

l Exchange Server 2016 (Up through Cumulative Update 20, through .NET Framework 4.8, except 4.7.0)

l SI Agents v7.2.0.239+ (Up through Cumulative Update 20)

l SI Agents v7.1.0.410+ (Up through Cumulative Update 20)

l Exchange Server 2013 (Up through Cumulative Update 23, through .NET Framework 4.8, except 4.7.0)

l SI Agents v7.2.0 (Up through Cumulative Update 23)

l SI Agents v7.1.0 (Up through Cumulative Update 23)

l Exchange Server 2010 (Up through Service Pack 3 Roll Up 27, through .NET Framework 4.5)

Doc_ID 371 21

l SI Agents v7.2.0 (Up through Roll Up 27)

l SI Agents v7.1.0 (Up through Roll Up 27)

The Exchange Server Monitoring module option is not enabled for an SI Agent if newer updates are detected, and a corresponding message displays in the SI Agent log file and the Agents interface.

Windows File Servers

This SI Agent monitors all events occurring in File System in real-time. The SI Agent must be installed on all Windows Files Servers within the domains to be monitored.

Supported Platforms for Stealthbits Activity Monitor Agent & SI Agent Deployment

l Windows Server 2019

l Windows Server 2016

l Windows Server 2012 R2

l Windows Server 2012

Stealthbits Activity Monitor Integration

Both the Stealthbits Activity Monitor and StealthINTERCEPT (SI) can monitor the same Windows server. Deploy agents from both products to the server. The Stealthbits Activity Monitor Console identifies the Windows host as being “Managed by StealthINTERCEPT” on the Monitored Hosts tab when it detects an SI Agent on the server. That host configuration cannot be modified within the Stealthbits Activity Monitor Console. StealthINTERCEPT polices control the configuration for that monitored host. However, the Stealthbits Activity Monitor can be configured to provide multiple outputs for a host, e.g. for StealthAUDIT, StealthDEFEND, or SIEM products. Add a new output for the same host to the Monitored Host tab in the Stealthbits Activity Monitor Console to be used by the other product. See the Windows File System Server Configuration Guide for additional information.

NAS Device & Proxy Servers for NAS File Activity Monitoring

Doc_ID 371 22

For Network-Attached Storage (NAS) device support, no SI Agents are deployed on the NAS device. Instead, StealthINTERCEPT employs the Stealthbits Activity Monitor, which deploys its own activity agents to Windows servers acting as proxy servers for NAS activity monitoring. The SI Agent must be installed on the Windows server where the Stealthbits Activity Monitor’s activity agent resides. See the Stealthbits Activity Monitor Installation & Console User Guide for additional information.

The Stealthbits Activity Monitor activity agent configuration dictates what file system activity is being monitored. The activity agent writes activity log files on the proxy server. The SI Agent monitors the activity log files as the data is written and sends events to the StealthINTERCEPT event database according to the enabled policy configuration.

Supported Platforms for Stealthbits Activity Monitor Agent & SI Agent Deployment

l Windows Server 2019

l Windows Server 2016

l Windows Server 2012 R2

l Windows Server 2012

Supported NAS Devices to Monitor

l NetApp® Data ONTAP®:

l 7-Mode 7.3+

l Cluster-Mode 8.2+

l EMC® Celerra® 6.0+

l EMC® VNX®:

l VNX 7.1

l VNX 8.1

l Dell EMC Unity™

l EMC® Isilon® 7.0+

l Hitachi® 11.2+

l Nasuni® 8.0+

l Panzura® 8.1

Doc_ID 371 23

See the following configuration guides for additional information on configuration and integration between StealthINTERCEPT and the Stealthbits Activity Monitor:

l EMC Celerra or VNX Device Configuration Guide

l Dell EMC Unity Device Configuration Guide

l EMC Isilon Device Configuration Guide

l Hitachi Device Configuration Guide

l Nasuni Edge Appliance Configuration Guide

l NetApp Data ONTAP7-Mode Device Configuration Guide

l NetApp Data ONTAP Cluster-Mode Device Configuration Guide

l Panzura Device Configuration Guide

Solution Overview StealthINTERCEPT has the following pre-defined solutions available for protecting different aspects of the IT environment. The solutions and associated Licensed Modules are:

l StealthINTERCEPT for Active Directory

l Active Directory Changes

l Includes AD Replication Monitoring

l Includes Authentication Monitoring

l Includes Effective Group Membership

l Includes LSASS Guardian –Monitor

l Active Directory Lockdown

l Includes AD Replication Lockdown

l Includes Authentication Lockdown

l Includes LSASS Guardian – Protect

l Active Directory Read Monitoring

Doc_ID 371 24

l GPO Lockdown

l GPO Setting Changes

l StealthINTERCEPT for Enterprise Password Enforcement

l Password Enforcement

l StealthINTERCEPT for Exchange

l Exchange Events

l Exchange Lockdown

l StealthINTERCEPT for File System

l File System

l Includes both Monitoring & Lockdown for Windows file system

l Includes Monitoring for supported NAS devices

l Includes Monitoring file system for integration with StealthAUDIT

l FSMO Role Monitoring

l StealthINTERCEPT for LDAP

l LDAP Monitoring

l Includes both Monitoring & Lockdown for LDAP Event Policies

l Includes LDAP Operations Center Policies

l Includes Monitoring file system for integration with StealthAUDIT

From within the SI Admin Console, the only difference between solutions is in the Policy Templates and Policy Event Types available for use.

StealthINTERCEPT for Active Directory StealthINTERCEPT for Active Directory is a real-time change monitoring and security threat detection solution, designed to detect, protect, mitigate, and generate security intelligence without any reliance on native logging. From individual objects and attributes to Group Policies, StealthINTERCEPT for Active Directory not only produces a complete audit trail of all change and access activities, but adds an additional security layer on top of native controls to proactively block undesired changes and guard against malicious attempts to comprise directory services. Through real-time analysis of all AD authentication traffic, StealthINTERCEPT also detects

Doc_ID 371 25

patterns of activity indicative of account compromise or impending breach, empowering security professionals with the information they need to protect their systems, data, and organization’s reputation.

Some of the important events StealthINTERCEPT captures are:

l Changes

l Account Lockouts

l Password Resets

l Comprised and weak password use

l Group Policy Object (GPO) Modifications

l Object Moves/Adds/Deletes

l Permission Modifications

l Groups Membership

l DNS Changes

l LSASS Modifications

l AD Replication

l Replication impersonations

l Active Directory Read Monitoring

l Authentication (Kerberos & NTLM)

l Authentication-based Attacks (e.g. Horizontal/Lateral Movement, Brute Force Attacks, User Account Hacking, Breached Passwords, Golden Tickets, and more)

l Privileged Account Authentications

StealthINTERCEPT for Enterprise Password Enforcement Attackers often use dictionaries of previously breached passwords or knowledge of well-known passwords to compromise accounts. To mitigate this risk and the likelihood of generic or known passwords used within organizations, StealthINTERCEPT Enterprise Password Enforcer proactively prevents their usage when passwords are set – regardless of whether or not they meet complexity requirements – further enforcing password hygiene and reducing the opportunity for attackers to crack or guess passwords in automated or manual fashions.

Doc_ID 371 26

With StealthINTERCEPT v7.0+, the optional EPE User Feedback Module is packaged with the zip file for StealthINTERCEPT installation. It provides end user feedback at the Windows login screen for why their pending password change was rejected. The module lists the failed complexity requirements set up in the Password Rules policy. The user can use this information to create a new password that passes the complexity requirements of the organization.

This module does not change the behavior of EPE. It provides additional user feedback when deployed to end user computers. The method of deployment is up to the user. Logon scripts are a suggested way to deploy this zero configuration msi. Prior to deploying the EPE User Feedback Module, the user must select the Enable EPE User Feedback Module integration checkbox in the EPE Settings Window.

See the EPE User Feedback Module section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

StealthINTERCEPT for Exchange StealthINTERCEPT for Exchange provides increased security, regulatory compliance fulfillment, reduced risk of downtime through careless error, and peace of mind by significantly enhancing Microsoft® Exchange native security.

StealthINTERCEPT for Exchange owners reduce outage risk caused by bad configuration changes and achieve compliance through enhanced security and detailed auditing. For business owners, enhanced mailbox security capabilities ensure their most sensitive mailboxes are protected against rogue administrator or compromised account access. StealthINTERCEPT for Exchange is simply the ultimate security enhancement for Microsoft Exchange.

Understand who accessed a mailbox and what occurred once in the mailbox. Was a sensitive email read, modified, deleted, or forwarded? All are critical to achieving a compliant Exchange infrastructure.

Some of the important events StealthINTERCEPT captures are:

l Non-Owner Mailbox Access Events

l Access rights Changes

l Mailbox

l Folder

l Manipulated Attachments

Doc_ID 371 27

l Message Item Level Auditing:

l Creation

l Deletion

l Modification

l Read

l Send/Forward

l Open

StealthINTERCEPT for File System StealthINTERCEPT for File System provides organizations with real-time visibility into and control over changes and access activities occurring within Windows file systems. It also provides real- time visibility into file access and change activities occurring on their NAS devices. StealthINTERCEPT authoritatively records a complete audit trail of events for security, compliance, and forensic investigation, and alerts on critical activities in real-time without reliance on native logging facilities or impacting system performance. StealthINTERCEPT also optionally blocks changes and access events from occurring at the share, folder, or file level of Windows file systems, enabling complete control over critical data regardless of natively supplied access rights.

Some of the important events StealthINTERCEPT captures within a Windows file system are:

l File Access Events (Reads, Moves, Copies, Deletes)

l Permission Changes

l Attribute Changes

l Audit Changes

l Owner Changes

l FSMO Role Changes

Some of the important events StealthINTERCEPT captures within a NAS file system are:

l File Access Events (Create, Copy, Delete, Rename, Read, Update)

l Permission Changes

NOTE: For NAS monitoring, StealthINTERCEPT employs the Stealthbits Activity Monitor. See the Stealthbits File Activity Monitor User Guide for additional information.

Doc_ID 371 28

StealthINTERCEPT for LDAP StealthINTERCEPT for LDAP provides real-time monitoring of Active Directory LDAP queries without any reliance on native logging. From individual objects to specific query requests or results, StealthINTERCEPT for LDAP produces a complete audit trail of specific queries executed against Active Directory that could indicate potential security issues or operational inefficiencies.

Getting Started with StealthINTERCEPT Once StealthINTERCEPT is installed, the following workflow quickly enables users to begin monitoring an organization’s environment.

First Launch

The first time StealthINTERCEPT is launched after installation, the first SI user (by default an SI Administrator) is given a license key warning and then asked two questions:

The license key warning provides the SI Administrator with easy access to the machine ID which is needed by the Stealthbits Representative in order to provide the organization’s license key.

This warning always displays when the organization’s license is within 14 days of expiring.

Doc_ID 371 29

l Import Templates?

l Templates Interface are pre-configured for the most common monitoring policy types. These provide SI users with a quick resource for configuring a policy.

l If this option is selected, it takes a few moments to import the templates into the SI Admin Console. Once complete, the templates are available to all SI users.

l If this option is declined, the Import Templates window appears asking, “Do you want to be prompted again next time this application loads?”

The policy templates can always be Import SI Pre-Created Policy Templates at a later time.

l Install SI Agents?

l SI Agents are responsible for monitoring the events as configured in policies. It is necessary for SI Agents to be deployed on all of the servers where these events occur. The SI Agent deployment is enacted and managed through the SI Admin Console.

l If this option is selected, this option opens the Agents Interface.

l If this option is declined, navigate to the Agents Interface to manage and deploy SI Agents.

Initial Configuration

There are three components of StealthINTERCEPT configuration which need to occur during the first launch. In addition to deploying SI Agents, the first SI user is responsible for:

Doc_ID 371 30

l Configuring Additional SI Users

l From the point of first launch, the user responsible for installation is the only user who can access the SI Admin Console and the SI Reporting Console. Additional users must be added and assigned roles which impacts what they have access to. This can only be done by an SI Administrator. Navigate to the Users and Roles Window to configure SI users.

l Configure Alerts

l (Optional) However, Email and SIEM alerts require configuration before they can be enabled. This can only be done by an SI Administrator. This can only be done by an SI Administrator. Navigate to the SI System Alerting Window to enable these alerts and to select SI System Alert Notifications.

l Configure Collections

l (Optional) Collections are reusable lists of stored policy filter settings. However, if the plan is to use policy templates to create new policies, Collections need to be configured. Several of the templates are configured using collections as a policy filter. If the Collection is empty, then the policy does not monitor what it was designed to monitor. This can only be done by an SI Administrator. Navigate to the Collection Manager Window to configure Collections.

Create, Configure, & Enable Policies

Now that SI Agents are deployed and the initial configuration of StealthINTERCEPT is complete, it is time to create, configure, and enable policies to begin monitoring the organization’s environment. Either use a Policy Templates to create a policy or create a new Policy & Template Configuration. When the policy configuration is enabled and saved, the SI Agents are automatically sent the necessary information to begin monitoring.

CAUTION: Use extreme caution when enabling lockdown policies to ensure no unintended events get blocked.

RECOMMENDED: Start with monitoring the environment before choosing to lockdown policies. For example:

First configure a monitoring policy for the events to be blocked. Watch the captured events to ensure the filters are returning the expected events. Once assured the filters are monitoring the desired events, create the lockdown policy to block those events.

View Event Result Data

StealthINTERCEPT provides three interfaces for viewing result data.

Doc_ID 371 31

RECOMMENDED: After configuring a new policy, navigate to either the Recent Events Tab in the policy's configuration or to the Investigate Interface to confirm the events being monitored are intended. Navigate to the preferred location, and Refresh the data to view recent events being monitored.

Finally, launch the SI Reporting Console to generate reports. See the StealthINTERCEPT Reporting Console User Guide for additional information.

Doc_ID 371 32

Copyright 2021 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED StealthINTERCEPT® Navigation & Configuration of the SI Admin Console The StealthINTERCEPT (SI) Administration Console is used to create and configure policies and policy templates, configure analytics, deploy and manage SI Agents, import and export SI policies and policy templates, and configure alerts. Policies control the real-time event monitoring/blocking of files and directories, users, groups, Active Directory objects, and Microsoft Exchange objects. These policies enable SI to detect and report changes as well as send notification when changes occur.

This chapter provides an introduction to the primary components of the SI Admin Console, and it explains the console configuration options.

The SI Admin Console is comprised of the following components:

l Menu

l Policy Center

l LDAP Operations Center

l Status Bar

There are also right-click commands available within different sections of the Policy Center.

Doc_ID 371 33

See the LDAP Operations Center section for information the LDAP Operations Center.

If at any time, the SI Admin Console user interface or windows do not display completely, see the Troubleshooting within the SI Admin Console section for information. Icon Key

Icon Represents

Add

Remove

Agents Node

Alerts Node

Investigates Node**

Filtered Investigates View

Analytics Node**

Analytic Policy/Investigate Report

Doc_ID 371 34

Icon Represents

Policies Node/Policy**

Templates Node/Template**

Folder (Policies/Templates)

Refresh

Clear

Export Data

Save

Reset Filters

Configure

*See the individual sections for information on other icons.

**Double-click with the left mouse button to expand and collapse content

Doc_ID 371 35

The Menu contains the following selections:

Menu Item Option Description

File New Create new policies (Ctrl+P), new templates (Ctrl+T), or new folders (Ctrl+F) in the selected location of the Policy Center

Rename Opens a textbox to rename the selected policy, template, or folder in the Policy Center

Remove Remove the selected policy, template, or folder from the Policy Center

Exit Exit the SI Admin Console

Tools Export … Export (Alt+X) all collections and event consumers/alerts to an XML file through the Export Policies and Templates Window

Import … Import (Alt+I) policies/templates, collections, and event consumers/alerts from an exported file through the Import Window

Configuration Alerts Configure and manage all email,

Doc_ID 371 36

Menu Item Option Description

event log, and SEIM alerts in the SI System Alerting Window

Users A security feature for configuring access to the SI Admin Console and the SI Reporting Console. SI users are added and assigned rights through the Users and Roles Window.

Database > Server Manage the events database in the Event Database Configuration Window

Database > Maintenance Database maintenance can be used to automatically groom the database to optimize performance by archiving and/or deleting data aged beyond a specified threshold. This can be configured to run by Event Type, Analytic, or Policy. It is configured in the Database Maintenance Window.

Database > Partitioning Partition the SI data within the Microsoft SQL Server database to greatly improve performance on queries in the Database Partitioning Window

Collections Manage all Microsoft Collections in the Collection Manager Window

Event Filtering Filters Active Directory events to remove “noise” from collected event data and/or exclude logins from

Doc_ID 371 37

Menu Item Option Description

machine accounts. Both settings are ON by default. It also allows authentication events from selected hosts or from selected accounts to be excluded, which require configuration before being enabled. A latency threshold can be set to generate alerts when the delivery of AD Events are delayed beyond the threshold. These options are configured in the Event Filtering Configuration Window.

StealthDEFEND Event Enables the integration between Sink StealthINTERCEPT and StealthDEFEND in a global setting. The StealthDEFEND URI is set in the StealthDEFEND Configuration Windows. Choose policies through the Policy checkboxes in this window or the Actions tab of each policy for sending event data to StealthDEFEND. Honey Tokens

File Monitor Settings Manages the log retention, inherited permissions filtering, disables office file filtering, and the ability to exclude AD accounts and processes for StealthINTERCEPT file monitoring and blocking policies in a global setting. These options are set in the File Monitor Settings Windows.

EPE Settings Window Manages the Have I Been Pwned

Doc_ID 371 38

Menu Item Option Description

password hash database configuration and update options as well as global Password Rules filter configurations. These options are configured in the EPE Settings Window.

Help Administration Console Open the internal help Help documentation

License Manager Opens the StealthINTERCEPT License Manager window where Customer, License, and Licensed Modules are displayed

About StealthINTERCEPT Opens the StealthINTERCEPT Administration Console Administration Console window where the SI version, copyright, and the Stealthbits website link are displayed

Status Bar

The Status Bar is located in the lower-left corner of the SI Admin Console.

It displays the Current User account logged into StealthINTERCEPT.

Menu Windows

Doc_ID 371 39

Collection Manager Window The Collection Manager window is for managing all Microsoft Collections. This window is opened through the Menu’s Configuration > Collections option.

This window is only available to SI Administrators.

Collections are reusable lists of stored policy configuration filter settings which help streamline the task of associating filters with event types on the Event Type Tab during Policy & Template Configuration. They are configured globally and can be used in multiple policies in place of or in conjunction with individual filters. When a collection is modified, the modifications affect all policies referencing the collection. At least one SI Agent must be deployed to populate Collections.

The collections are organized into the following categories for Microsoft Collections:

l Domains & Servers – Any domain or server (by name)

l Contexts – Any context (e.g. Containers and Organizational Units) within Active Directory

l Objects – Any Active Directory object

l Exchange Objects – Any user accounts or distribution lists which are mail-enabled

l Lockdown Objects – Any Active Directory object, used for lockdown purposes

Doc_ID 371 40

l Exchange Trustees – Any account which has been given permission to another account’s mailbox or folder

l Perpetrators – Any security principal which is making a change, used for monitoring purposes

l Lockdown Perpetrators – Any security principal which is making a change, used for lockdown purposes

l Exchange Perpetrators – Any security principal which is making a change in an Exchange environment, used for both monitoring and lockdown purposes

l Classes – Any class within Active Directory

l Attributes – Any attribute within Active Directory

l IP Addresses – Any client address

l Hosts – Any computer (by NetBIOS, DNS, and IP Address)

l File Paths – List of file paths for Windows file systems to be used with multiple agents

Select a collection category and click Manage… in the lower-left corner to open the List of Collections window.

Preconfigured Collections StealthINTERCEPT has the following pre-configured Collections:

Collection Type Name

Domains and Servers SBServers

Objects Administrator Accounts

Objects Administrator Groups

Objects Sensitive Groups

Objects Service Accounts

Perpetrators Administrative Accounts

Perpetrators Domain Administrators

Doc_ID 371 41

Collection Type Name

Perpetrators Failed Authentications

Perpetrators Service Accounts

Perpetrators Successful Authentications

Perpetrators Successful HIPPAA PHI Account Authentications

Perpetrators System Accounts

Lockdown Perpetrators Allow Perpetrators

Lockdown Perpetrators Critical GPO - Allow Perpetrators

Lockdown Perpetrators DNS Records - Allow Perpetrators

Lockdown Perpetrators GPOs - Allow Perpetrators

Lockdown Perpetrators Group Lockdown - Allow Perpetrators

Lockdown Perpetrators Group User OU Object Delete and Move - Allow Perpetrators

Lockdown Perpetrators Object Permissions - Allow Perpetrators

Lockdown Perpetrators OU Structure - Allow Perpetrators

Lockdown Perpetrators Root Object - Allow Perpetrators

Doc_ID 371 42

Collection Type Name

Lockdown Perpetrators User Lockdown - Allow Perpetrators

Classes Exclude Classes

Attributes Exclude Attributes

Attributes Exclude User Attributes

Attributes Property Set: DNS-Host- Name-Attributes

Attributes Property Set: Domain- Other-Parameters

Attributes Property Set: Domain- Password

Attributes Property Set: General- Information

Attributes Property Set: Membership

Attributes Property Set: Personal- Information

Attributes Property Set: Private- Information

Attributes Property Set: Public- Information

Attributes Property Set: RAS- Information

Attributes Property Set: Terminal-

Doc_ID 371 43

Collection Type Name

Server-License-Server

Attributes Property Set: User- Account-Restrictions

Attributes Property Set: User-Login

Attributes Property Set: Web- Information

Hosts Domain Controllers

Hosts Exchanges Servers

File Paths Folders with Sensitive Data

File Paths Open Shares

List of Collections Window The List of Collections window is where selected collections can be created or edited. This window is opened through the List of Collections Window Manage... button.

Doc_ID 371 44

At the top of the window, the Collection Category are identified. Each item in the list displays:

l Name – Name of the collection

l Item Count – Number of items in the collection

l Dependency Count – Number of policies or policy templates referencing the collection

At the bottom of the windows are buttons for Add…, Edit…, Remove, and Dependencies… that can be used to modify the collection. Add New Collection Window

Clicking Add... on the List of Collections window opens the Add New Collections window.

Doc_ID 371 45

Provide a unique, descriptive Name for the collection. Then optionally provide a detailed Description. The Created By, Created On, Modified By, and Modified On textboxes are automatically edited by StealthINTERCEPT when collections are created or changed. Use the Add (+) button to search for Items that match the selected Collection Category.

Doc_ID 371 46

Example Select… Window

The Select… window opens. Select the desired Agent from the drop-down menu and click Connect. Expand the domain tree in the Navigation pane. Select an item in the Results pane on the right and click OK. See the Event Filters Overview section for specific information on each browser window.

Use the Remove (x) button to remove Items from the list on the Add New Collections window.

Some collection can be configured to be dynamic collections. See the List of Collections Window section for additional information. The Perpetrators and Lockdown Perpetrators collections also have the option to expand group membership. See the Expand Group Option for Perpetrators & Objects Collection section for additional information.

When the configuration is set as desired, click OK to save the collection.

Edit Collection Window

Clicking Edit... on the List of Collections Window opens the Edit Collections window.

Doc_ID 371 47

The Name, Description, and Items can be modified through this window. See the Add New Collection Window section for additional information on these settings. The Created By, Created On, Modified By, and Modified On textboxes are automatically edited by StealthINTERCEPT when collections are created or changed.

Use the Add (+) button to search for Items that match the selected Collection Category. The Select… window opens with available items to choose from.

Use the Remove (x) button to remove Items from the list.

When the configuration is set as desired, click OK to save the information.

Remove Collection

To delete a collection, select it from the list and click Remove on the List of Collections Window.

Doc_ID 371 48

A collection cannot be deleted if it is assigned to an active policy, as indicated in the Collection Dependencies Window Count column. A collection would need to be removed from all policies it has been assigned to before it can be removed.

Doc_ID 371 49

Confirm the decision by clicking Yes on the Confirm Removal window. The selected collection is now removed from the list.

Collection Dependencies Window

Clicking Dependencies... on the List of Collections Window opens the Collection Dependencies window for the selected collection.

This window displays a list of all policies the selected collection is assigned to.

Doc_ID 371 50

Expand Group Option for Perpetrators & Objects Collection

The Expand Groups options in the lower-center portion of the Add New Collections window is only available for the following collections:

l Perpetrators

l Lockdown Perpetrators

l Objects

l Lockdown Objects

Perpetrators

If checked, the groups and nested-groups are expanded out to monitor effective group membership at the user level. This means the SI Agent monitors/blocks based on the user’s token instead of the group’s token. The impact specifically for Lockdown Perpetrators collections is that this option allows for the immediate blocking of a currently logged in user who has had a group membership change while logged in.

Objects

If checked, when a group object is added, then the groups and nested-groups are expanded out to monitor effective group membership at the user level. This means the SI Agent monitors/blocks based on the user’s token instead of the group’s token. The impact specifically for Lockdown Objects collections is that this option allows for the immediate blocking of a currently logged in user who has had a group membership change while logged in.

The Expanded Groups option does NOT apply to other object types.

There is a maximum cap of 1000 users/objects which can be expanded. If the total number of users or objects of the all groups added to a single collection exceeds 1000 users/objects, then the SI Agent defaults to monitoring/blocking based on the groups’ tokens.

Doc_ID 371 51

If group membership cannot be resolved, then the SI Agent defaults to monitoring/blocking based on the groups’ tokens.

Dynamic Collections There are options in the upper-left corner of the Add New Collections window which are only enabled for the following collection categories:

l Domains & Servers – Dynamic Domains & Servers Collection Table Requirements

l Objects – Dynamic Objects Collection Table Requirements

l Perpetrators and Lockdown Perpetrators – Dynamic Perpetrators Collections Table Requirements

l IP Addresses – Dynamic IP Addresses Collection Table Requirements

l Hosts – Dynamic Hosts Collection Table Requirements

l File Paths – Dynamic File Paths Collection Table Requirements

The I will provide a list radio button enables the default setting for a static collection:

l I will provide a list option – When selected, follow the general directions to manually Dynamic Collections.

The I want a list to come from the database table radio button enables a dynamic collection:

Doc_ID 371 52

l I want a list to come from database table – When selected, enter the table name in the textbox which appears or select it from the drop-down menu.

The dynamic collection tables can be populated manually or with a third-party product as long as they meet the table requirements for the intended collection category. See the intended collection category table requirement sections for additional information.

Any SI policy which has been assigned a dynamic collection uses the current table’s data for the policy filter, resulting in a dynamic policy.

Any changes to the selected table’s data are recognized by an active policy when the SI Agent communicates with the StealthINTERCEPT Enterprise Manager. This may result in a delay of no more than five minutes between a change in the table and the SI Agent refresh. Dynamic Domains & Servers Collection Table Requirements

When using a dynamic Domains & Servers collection, the table to be referenced must meet the following requirements:

l Table Location – Must be in the NVMonitorConfig database

l Table Naming Convention – Must have a prefix of ‘dc_domain_server_’

l StealthINTERCEPT creates an empty table with the required prefix and schema if the [Table name] entered does not exist in the NVMonitorConfig database

l Table – Must have the following column:

Column Name Column Type Column Description

DomainServerName NVARCHAR Name of the domain or server. Cannot (1024) be null.

Example table entry for domain:

ExampleDomain

Example table entry for server:

ExampleServer

Doc_ID 371 53

Dynamic Objects Collection Table Requirements

When using a dynamic Object collection, the table to be referenced must meet the following requirements:

l Table Location – Must be in the NVMonitorConfig database

l Table Naming Convention – Must have a prefix of ‘dc_ad_objects_’

l StealthINTERCEPT creates an empty table with the required prefix and schema if the [Table name] entered does not exist in the NVMonitorConfig database

l Table Schema – Must have the following column:

Column Name Column Type Column Description

AdObject NVARCHAR Distinguished name of the Active Directory (1024) object. Cannot be null.

Example table entry:

CN=User,DC=Domain,DC=Local

Dynamic Perpetrators Collections Table Requirements

When using a dynamic Perpetrators or Lockdown Perpetrators collection, the table to be referenced must meet the following requirements:

l Table Location – Must be in the NVMonitorConfig database

l Table Naming Convention – Must have a prefix of ‘dc_perpetrators_’

l StealthINTERCEPT creates an empty table with the required prefix and schema if the [Table name] entered does not exist in the NVMonitorConfig database

l Table Schema – Must have the following columns:

Column Name Column Type Column Description

AccountName NVARCHAR Distinguished name of the account. Cannot

Doc_ID 371 54

Column Name Column Type Column Description

(1024) be null.

AccountSid NVARCHAR (184) SDDL form of the account Security ID. Cannot be null.

AccountType INT Account type using the following values:

l 0 = none

l 1 = user

l 2 = group

l 3 = context

l 4 = orgRole

l 5 = sidtype

l 6 = other

l 7 = dynamic

l 8 = dynamic_group

Cannot be null.

IncludeSubtree INT Indicates if child containers should be used:

l 0 = Child containers NOT included

l 1 = Child containers included

Cannot be null.

Example table entry:

CN=User,DC=Domain,DC=Local | S-1-5-21-1004336348-1177238915-682003330-500 | 3 | 0

Dynamic IP Addresses Collection Table Requirements

Doc_ID 371 55

When using a dynamic IP Addresses collection, the table to be referenced must meet the following requirements:

l Table Location – Must be in the NVMonitorConfig database

l Table Naming Convention – Must have a prefix of 'dc_ip_addresses_'

l StealthINTERCEPT creates an empty table with the required prefix and schema if the [Table name] entered does not exist in the NVMonitorConfig database

l Table Schema – Must have the following column:

Column Name Column Type Column Description

IpAddress NVARCHAR Address of the host. Cannot be null. (1024)

Example table entry:

192.168.1.3

Dynamic Hosts Collection Table Requirements

When using a dynamic Hosts collection, the table to be referenced must meet the following requirements:

l Table Location – Must be in the NVMonitorConfig database

l Table Naming Convention – Must have a prefix of ‘dc_hosts_’

l StealthINTERCEPT creates an empty table with the required prefix and schema if the [Table name] entered does not exist in the NVMonitorConfig database

l Table Schema – Must have the following columns:

Column Name Column Type Column Description

NetbiosHostName NVARCHAR Name of the host (1024)

DnsHostName NVARCHAR Domain Name System (DNS) name of the

Doc_ID 371 56

Column Name Column Type Column Description

(1024) host

IpAddress NVARCHAR IP v4 Address of the host (1024)

IpV6Address NVARCHAR IP v6 Address of the host (1024)

**At least one column cannot be null.

Example table entry with all fields populated:

host | host.dc.com | 10.0.10.19 | fe80::4d72:80e9:72cf:425f%10

Example table entry which excludes IP v6 Address:

host | host.dc.com | 10.0.10.19 | [null]

Example table entry which excludes IP v4 Address:

host | host.dc.com | [null] | fe80::4d72:80e9:72cf:425f%10

Dynamic File Paths Collection Table Requirements

When using a dynamic File Paths collection, the table to be referenced must meet the following requirements:

l Table Location – Must be in the NVMonitorConfig database

l Table Naming Convention – Must have a prefix of 'dc_file_path_'

l StealthINTERCEPT creates an empty table with the required prefix and schema if the [Table name] entered does not exist in the NVMonitorConfig database

l Table Schema – Must have the following columns:

Doc_ID 371 57

Column Name Column Type Column Description

Path NVARCHAR File path to the desired folder. Cannot be (1024) null.

IncludeSubtree INT Indicates whether or not subfolders are processed:

l 0 = Not Included

l 1 = Included

TargetAgent NVARCHAR Agent which monitors the target server. (1024) Cannot be null.

Example table entry:

c:\Windows | 0 | ExampleFSserver

Two tables are created during the installation/upgrade process for the File Path collections:

l Folders with Sensitive Data Collection – dc_file_path_SensitiveDataFolders table

l Open Shares Collection – dc_file_path_OpenShares table

Database Maintenance Window The database maintenance feature is used to automatically groom the NVMonitorData database to optimize performance. It automatically deletes or archives data aged beyond a specified threshold. The threshold can be set per Event Type, per Analytics, and/or per Policy. While all three options can be enabled with different operations and retention periods, it is necessary to remember that the Event Type maintenance settings take precedence over Policy maintenance settings where the selected policy employs that event type.

Remember, it is necessary for either the SQL Server account supplied during the installation of StealthINTERCEPT or the Windows account configured to run the Enterprise Manager (for Windows Authentication to the SQL Server) to have enough rights to execute the Database

Doc_ID 371 58

Maintenance feature. See the Database Maintenance Permission details in the SQL Server Requirements for the StealthINTERCEPT Database section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

See Appendix: StealthINTERCEPT Stored Procedures for additional information on stored procedures StealthINTERCEPT uses on its SQL Server databases.

The Database Maintenance window is opened through the Menu’s Configuration > Database > Maintenance option.

This window is only available to SI Administrators.

This feature is only available if the SQL Server Agent service is running on the SQL Server host. A warning message displays instead of the Database Maintenance window if this service is not running.

SQL Server Agent Stopped SQL Server Agent Running

To enable this feature, open the Start > Administrative Tools > Services interface and start the SQL Server Agent (MSSQLSERVER).

Doc_ID 371 59

When the SQL Server Agent service is running, the Database Maintenance window opens. At the top of the window is an information section which includes the following:

l Database Information:

l Server – SQL Server where database maintenance is performed

l Database – Name of the database

l Database size – Current size of the database

l Oldest data – Date of the oldest data within the database

l Job Information:

l Last run – Date timestamp when the last database maintenance job was executed

l Status – Status of the job

l Running Step – During job execution this field populates with the step being executed

l Elapsed Time – Overall elapsed time of job execution

The Refresh button in the upper-right corner refreshes this information section with current database and job information.

Doc_ID 371 60

On the Event Type, Analytics, and/or Policy tabs, chose to enable maintenance for all or some of the options. See the Configure Database Maintenance section for additional information. On the Schedule tab set the frequency and time when the database maintenance job runs. See the Schedule Database Maintenance section for additional information. If choosing to use the Move operation, then the information on the Archive DB tab must be configured. See the Archive Data section for additional information.

The user account logged into the SI Admin Console when scheduling the database maintenance needs to have access to the msdb database (in System Databases) and have the SQLAgentOperator role. When all of the prerequisites have been met and the database maintenance job has been scheduled, all enabled tasks at the time when the job runs are executed.

This scheduled job can be viewed through the Microsoft SQL Server Management Studio within the SQL Server Agent > Jobs folder (SiDbMainJob).

Doc_ID 371 61

RECOMMENDED: The SQL Server databases should be configured to use 'Simple Recovery Mode' in the SQL Server Requirements. This configuration has a direct impact on the size of the transaction log during database maintenance delete tasks. If Simple Recovery Mode is not configured on the databases, the transaction log may get quite large during delete tasks.

Archive Data Configure where the archived data is sent in order to use the Move operation. Follow the steps to configure archived data.

Step 1 – Navigate to the Archive DB tab of the Database Maintenance window.

Step 2 – Enter the following information:

l Server – SQL Server where the archive database is located

l Port – Instance port number, by default this is set to 0

l Database – Name of the archive database

l Authentication

l For Windows Authentication – Check the Use Windows Authentication box

l For SQL Authentication – Enter the User Name and Password credentials

Doc_ID 371 62

Remember, do not forget to Save the configurations before closing the Database Maintenance window.

To query archived event data, use the SI Admin Console Investigate interface. See the Investigate Interface section for additional information.

Configure Database Maintenance Database maintenance can be configured for all event types, analytics, and/or policies or only specified ones. It can be configured for any combination of event type data, analytic data, and policy data.

Remember, the Event Type maintenance settings take precedence over Policy maintenance settings where the selected policy employs that event type.

Navigate to the Event Type, Analytics, or Policy tab of the Database Maintenance window to configure database maintenance.

Event Type Tab

Doc_ID 371 63

Check the Enabled box at the top to set database maintenance by event type. The table contains the following information:

l Enable – Checked box indicates database maintenance is enabled for the event type

l Event Type – Data is grouped by the following event types:

l Active Directory – Configure maintenance for all event data collected by the Active Directory Changes, Active Directory Lockdown, Effective Group Membership, GPO Lockdown, and GPO Setting Changes Event Types

l Authentications – Configure maintenance for all event data collected by the Authentication and Authentication Lockdown Event Types. This does not apply to Analytics policy data

l Exchange – Configure maintenance for all event data collected by the Exchange Changes and Exchange Lockdown Event

l File System – Configure maintenance for all event data collected by the File System Changes, File System Lockdown, and File System StealthAUDIT Event Types

l LDAP – Configure maintenance for all event data collected by the LDAP Monitoring Event Type

l Operation – Indicates operation set for the event type: Move (for Archiving) or Delete

l Retention Period – Indicates age of data to be retained when the database maintenance job is executed for the event type

Analytics Tab

Doc_ID 371 64

Check the Enabled box at the top to set database maintenance by analytic. The table contains the following information:

l Enable – Checked box indicates database maintenance is enabled for the analytic

l Analytic Name – Name of each analytic

l Operation – Indicates operation set for the analytic: Move (for Archiving) or Delete

l Retention Period – Indicates age of data to be retained when the database maintenance job is executed for the analytic

l Incident Count – Indicates number of incidents recorded in the database for each analytic

l Event Count – Indicates number of events for the recorded incidents in the database for each analytic

Above the table is a cumulative count of:

l Total Incidents – Indicates number of incidents recorded in the database for all analytics

l Total Events – Indicates number of events for the recorded incidents in the database for all analytics

The rows in the table can be sorted alphanumerically by the Analytic Name, Incident Count, or Event Count column.

Doc_ID 371 65

Policy Tab

Check the Enabled box at the top to set database maintenance by policy. The table contains the following information:

l Enable – Checked box indicates database maintenance is enabled for the policy

l Policy – Name of each policy. Policies are listed in alphanumeric order, first live policies (whether or not they are enabled) and then the deleted policies are listed

l Operation – Indicates operation set for the policy: Move (for Archiving) or Delete

l Retention Period – Indicates age of data to be retained when the database maintenance job is executed for the policy

l Event Count – Indicates number of events for the recorded incidents in the database for each policy

Above the table is a cumulative count of:

l Total Events – Indicates number of events for the recorded incidents in the database for all policy

The rows in the table can be sorted alphanumerically by the Policy or Event Count column. Deleted policies are always listed after all other policies.

Doc_ID 371 66

Enable Database Maintenance Follow the steps to enable database maintenance and assign an operation and retention period.

Step 1 – Select the desired tab (Event Type, Analytics, or Policy) and check the Enabled box in the upper-left corner.

Step 2 – Select the desired maintenance task (Event Type, Analytic, or Policy). To set the same operation and retention period for multiple tasks, and use the (ctrl-left click) command.

Step 3 – At the bottom select either Move or Delete from the Operation drop-down menu.

l The Move operation requires the Archive DB tab to be configured. See the Enable Database Maintenance section for additional information.

Step 4 – Set the Retention Period value and unit (Day, Week, or Month). This value indicates the age of the data to be kept when the database maintenance job is run. Older data is deleted or moved/archived as indicated by the selected Operation. Then click Set.

Step 5 – Check the Enable box to indicate which tasks are included in the next database maintenance job. Only those event types, analytics, and/or policies with the corresponding Enabled checkbox selected are included in the job execution.

Step 6 – Save the configurations before close the Database Maintenance window.

Doc_ID 371 67

The configured maintenance schedule displays in the Operation and Retention Period columns of the table.

In the example, the File System Event Type data older than 2 Weeks is deleted when the database maintenance job runs, but the Exchange Event Type data remains untouched, though it is configured to archive data older than 1 Month when enabled.

Disabling a previously enabled database maintenance task does not remove the configured settings, only prevent that task from being executed during the next running of the database maintenance job.

Schedule Database Maintenance The database maintenance job must be scheduled, which runs the specified Operation on each of the enabled event type data, analytic data, and/or policy data older than the specified Retention Period. This job can be run once now; it can be scheduled to run once at a later time; or it can be scheduled to run on a regular rotation.

The user account logged into the SI Admin Console when scheduling the database maintenance needs to have access to the msdb database (in System Databases) and have the SQLAgentOperator role.

Follow the steps to configure a Schedule.

Doc_ID 371 68

Step 1 – Check the Enabled box.

Step 2 – Select the Frequency:

l One Time: Run now – Runs the database maintenance job once when the configurations on the Database Maintenance window are saved

l One Time: Run later – Runs the database maintenance job once according to the Start Date and Start Time set

l Daily – Runs the database maintenance job once a day according to the Start Date and Start Time set

l Weekly – Runs the database maintenance job once a week according to the Day Of Week, Start Date, and Start Time set

l Monthly – Runs the database maintenance job once a month according to the Day of Month, Start Date, and Start Time set

Step 3 – Set the When for the selected Frequency.

l Start Date

l Start Time

l Day of Week (if applicable)

l Day of Month (if applicable)

Step 4 – Save the configurations before close the Database Maintenance window.

The Database Maintenance Job is now scheduled to run at the configured time and day.

Database Partitioning Window The database partitioning feature partitions the SI data, providing greatly improved performance on queries, especially beneficial to SI Reporting. It requires a Microsoft SQL Server Enterprise Edition. To take advantage of this feature, the prerequisites explained here must be met. Then run the Database Partitioning action once. The database will then be automatically partitioned according to the configuration parameters.

This window is only available to SI Administrators.

Follow the steps to partition a database.

Step 1 – Open the Database Partitioning window through the Menu’s Configuration >Database > Partitioning option. The Database Partitioning window opens.

Doc_ID 371 69

There are three prerequisites needed to enable database partitioning:

l SQL Server/Version Supported

l DBO Credentials

l Tables ready for partitioning

Doc_ID 371 70

Step 2 – Click the Verify Prerequisites link to have StealthINTERCEPT verify the requirements. Symbols display next to each item in the window indicating if partitioning is supported. A green checkmark indicates the prerequisite has been met. A warning symbol indicates it has not been met.

Step 3 – Select the DBO Credentials link to open the Database Connection Properties window.

The database was created while installing the SI Enterprise Manager Package. See the StealthINTERCEPT Infrastructure Installation section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information. The information grayed-out at the top displays the database location.

l If using Windows Authentication to modify the database for partitioning, check the box. This applies the credentials used to log into the SI Admin Console server.

Doc_ID 371 71

l If using SQL Authentication, provide the user name and password to be used. The credentials assigned must have rights to make SQL create and update the database schema and read/write to the database.

Step 4 – Once the prerequisites have been confirmed, click Enable Partitioning. This begins the Database Partitioning action that prepares the database for partitioning. The Warning: You are about to enable partitioning window displays.

CAUTION: The Database Partitioning action cannot be disabled, so a warning message confirms the decision to enable partitioning. Click Yes. The interface closes and the Database Partitioning action is executed.

Doc_ID 371 72

Opening the Database Partitioning window after partitioning is enabled displays a grayed-out window with the message Partitioning is already enabled superimposed over the window.

Doc_ID 371 73

Step 5 – Navigate to the Databases > NVMonitorData > Tables folder within Microsoft SQL Server Management Studio.

Step 6 – Select the dbo.AttributeValue table and open the Table Properties window. It displays Partitions not compressed under the Compression section.

This is the only indicator within the Microsoft SQL Server interface that partitioning is enabled.

EPE Settings Window The EPE Settings window displays global and unique settings for the Enterprise Password Enforcement event type. These options are set through the Menu’s Configuration > EPE Settings option. This window is only available to SI Administrators.

The window displays the following options:

Doc_ID 371 74

l Current hash database information

l Check for update options

l Passwords Hash Database Folder

l User Feedback Module

l Enable EPE User Feedback Module

l Use Custom Messages

l Password Rules Global Settings

l Modify Passwords Dictionary

l Modify List of Words for Character Substitution

l Modify Character Substitution Mapping Obtaining the Pwned Database

The Pwned database must be initially deployed to the Enterprise Manager. Once its stored, SI Agent(s) can be configured to obtain and use a local copy of the Pwned database. In order to give SI Agent(s) a local copy of the database, the Use local Pwned hash DB option on the Agents Interface Set Options section when deploying an SI Agent.

Password hashes can be authenticated against the stored Pwned database in the following places across the environment:

l Only the Enterprise Manager

l All or selected SI Agent(s)

l Mix of the Enterprise Manager and SI Agent(s)

Having the Pwned database copied to one location over another may alter functionality and whether or not authentication requires internet connection. See the Considerations When Deploying the Pwned Database section for additional information.

Follow the steps to obtain the Pwned Database content and prepare it for use by StealthINTERCEPT:

Step 1 – In the EPE Settings window, use the Password Hash Database Folder textbox enter the path to the folder where the Pwned hash database should be stored.

Step 2 – In the Update From section, choose between Link and File.

Doc_ID 371 75

l If Link is selected, proceed to Step 3. This option requires internet connection in order to automatically download the hash file from the Have I Been Pwned website.

l If File is selected, use the Select File button to browse to a copy of the hash file that has been manually downloaded from the Have I Been Pwned website. Follow the steps to manually download the hash file:

l Open up an internet browser and navigate to https://haveibeenpwned.com/. On the top navigation bar, select Passwords. The Pwned Passwords page displays.

l On the Pwned Passwords page, scroll down to the Downloading the Pwned Passwords list section and download the NTLM Version 5 (ordered by hash) torrent or cloudflare file. By default, the file is saved to Downloads. CAUTION: Once uncompressed, the NTLM Version 5 (ordered by hash) file becomes at least a 20G file. Ensure the SI Agent and/or Enterprise Manager has space to store the expanded Pwned database.

l Unzip and extract the NTLM Versions 5 (ordered by hash) file.

l Ensure the unzipped hash file is placed at the location defined in the Hash File path on the server. RECOMMENDED: Ensure the initial update of the database occurs during non-office hours. Due to the size of the hash file, this download takes up a significant amount of CPU and download time.

Step 3 – On the EPE Settings page, select Update to download the content of the hash file to the Password Hash Database folder location.

The Enterprise Manager is ready to use the Have I Been Pwned content derived from the hash file once the update is completed. Next, the policy or policies need to be configured to block password hashes that match the Pwned database content.

Step 4 – Navigate to the Password Rules filter for the desired Password Enforcement event types. Ensure that the policy is enabled and the Block if password hash is in Pwned DB checkbox is selected.

Step 5 – Review the Considerations When Deploying the Pwned Database to determine if it is best for your environment to deploy copies of the Pwned database to individual SI Agents.

Step 6 – (Optional) If desired, deploy SI Agent(s) with the Use local Pwned hash DB option on the Agents Interface Set Options page to supply a local copy of the Pwned database on the specified server. Repeat this step as necessary.

Doc_ID 371 76

The Pwned database is successfully deployed to the Enterprise Manager and any desired SI Agent(s) in the environment.

Considerations When Deploying the Pwned Database

Prior to deploying the Pwned database, consider the pros and cons when choosing its deployment location. It can be deployed on the SI Agent and/or Enterprise Manager. Remember, there can be a mix of SI Agent and Enterprise Manager in one environment.

If the Pwned database is copied to and stored on the SI Agent:

l The Pwned database takes up more space on the SI Agent then would on the Enterprise Manager

l No internet connection is required to check passwords against the Pwned database

l The pending password candidate is checked against the archived hash file at the local Agent level. The results are sent to the Enterprise Manager.

l If a password hash is matched, the pending password change is rejected.

l The Enterprise Manager periodically compares its Pwned database version against the SI Agent(s) local copy. If the Enterprise Manager has a newer copy, it updates the SI Agent copy.

If the Pwned database is kept only on the Enterprise Manager:

l The Pwned database takes up less space on the Enterprise Manager then would on the SI Agent

l Requires internet connection to check:

l The pending password candidate from the SI Agent

l For and obtain updates to the Pwned database

l Agent(s) send(s) the candidate hash value to the Enterprise Manager to compare against the Enterprise Manager’s copy of the Pwned database.

l The advantage of this approach is that the Pwned database space is not required on the Domain Controllers. The disadvantage is at the time of a password change, if the Enterprise Manager is not available, the Agent must assume the hash is okay.

l When the Enterprise Manager loses internet connection, the User must copy the Pwned database to the path specified by the Archive Hash File setting

Doc_ID 371 77

Passwords Hash Database

Within the EPE Settings window, there are global settings for updating the Have I Been Pwned compromised password hashes database. StealthINTERCEPT utilizes this database to check if users’ new and pending password (i.e. during a password reset) matches the hash of a compromised password from a data breach.

CAUTION: Ensure the initial update of the database occurs during non-office hours. Due to the size of the hash file, this download takes up a significant amount of CPU and download time.

A first time configuration of this window requires the Pwned database to be downloaded from the Have I Been Pwned website using Update in order to use the update settings on this page. See the Obtaining the Pwned Database section for additional information.

The EPE Settings window has the following options:

l Check for update options

l Check update every [number] [unit of time] – Select how often the Have I Been Pwned website is checked for a newer version of the passwords database.

l Check for new version – Creates an alert in the Alerts interface grid when a new version of the Pwned passwords database is available on the Have I Been Pwned website.

Doc_ID 371 78

NOTE: This checkbox does not automatically download the new Pwned database version for the user.

l Update pwned DB on new version– Downloads the latest version of the password database from the website. NOTE: This checkbox does not automatically download the new Pwned database version for the user.

After making selections, select the Apply button to make the selections active.

l Check current version – Checks the Have I Been Pwned website for the latest password hash file details and compares the SHA-1 to the local hash file to determine if the website has a newer version of the database

l Passwords Hash Database Folder – Central location of the Pwned database on the Enterprise Manager. The default path is:

…Stealthbits\StealthINTERCEPT\SIEnterpriseManager\PwnedS tore

l Update from Link or File

l Link – Automatically downloads the hash file for the Pwned database. This option requires internet connection to function.

l File – Use Select File to browse to a copy of the hash file that was manually downloaded from the Have I Been Pwned website.

l Progress – Use Update to automatically or manually download the Pwned database to the location specified in the Passwords Hash Database path.

User Feedback Module

The optional EPE User Feedback Module provides feedback to end users listing the reasons the Enterprise Password Enforcer (EPE) event type has rejected a candidate password. In order to enable integration with the User Feedback Module (also known as the Credential Provider), the Enable EPE User Feedback Module checkbox must be selected.

Remember, the module must be deployed by the user to any desired end user computers. See the EPE User Feedback Module section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

Doc_ID 371 79

There are two checkboxes in the User Feedback Module group:

l Enable EPE User Feedback Module

l User Custom Messages

The User Feedback Module option enables integration between an optional EPE User Feedback module and the SI Agent(s) on a Domain Controller. Selecting the checkbox enables the integration between the module and the SI Agent(s). Press Update to apply the current state of the checkbox to the module.

Open Custom Messages Editor window by selecting Modify Messages in the User Feedback Module group. This window allows users to customize EPE User Feedback Module password rejection messages.

Doc_ID 371 80

To edit, double-click the row in the Custom Message column and enter a unique message. Once customizations are complete, click OK to save changes or Cancel to discard them. Select Reset to revert all customized messages back to their defaults.

The string "{0}" is a placeholder populated at run time with specific values leading to the password being rejected. The string "{0}" must be included in all custom messages where the user wants the run time generated information to display.

Password Rules Filter Global Settings

The following windows are global settings for the EPE Password Rules filter within the EPE Settings window. Whatever is configured in these windows is applied across all EPE Password Rules filter(s) in the StealthINTERCEPT console.

Doc_ID 371 81

The dialogues monitor or block an event with these global settings:

l Password Dictionary – Requires an exact match between the user entered password and the password in the dictionary

l Words List Dictionary – Global list of character substitutions found in passwords. Uses the Substitution Editors map to check all permutations of a pending password

l Substitutions Editor – Create a character substitution map used to create password permutations for the Words List dictionary Password Dictionary Window

The Password Dictionary window is a global setting used across all EPE policies. It contains the centralized copy of the dictionary.dat file. This modifiable file contains all compromised passwords in the textbox. Type in the textbox or use Windows copy and paste functionality to add, remove, and modify passwords in the textbox.

Remember, in order for the password to be rejected, the user pending password must match exactly to a listed password in the Password Dictionary list.

Doc_ID 371 82

The buttons on the right have the following functions:

l Add From File – Uploads passwords (one password per line) from a .txt file

l Save To File – Opens up a Save As window to save the current configuration to a .txt file at any desired location

l Sort and Distinct – Automatically removes duplicates and sorts passwords in alphanumeric order

l Find – Use the textbox to search for a password

l Default List – Resets the password values to the original list provided during installation. Any previous modifications are discarded.

l Remove All – Deletes all passwords from the window

Doc_ID 371 83

Select OK to push list modifications out to all Active SI Agents. Inactive SI Agents get the updated list when they reconnect to the Enterprise Manager. Select Cancel to close the window and lose any changes made.

Words List Dictionary Window

The Words List Dictionary window is a global setting used across all EPE policies. It contains a user provided global list of character substitutions found in passwords. This feature uses the entries in the Substitutions Editor to check all permutations of a user entered password. If the password matches a substitution rule, it is blocked.

Doc_ID 371 84

Type in the textbox or use Windows copy and paste functionality to add, remove, and modify passwords in the textbox. The buttons on the right have the following functions:

l Add From File – Uploads character substitutions (one password per line) from a .txt file

l Save To File – Opens up a Save As window to save the current configuration to a .txt file at any desired location

l Sort and Distinct – Automatically removes duplicates and sorts character substitutions passwords in alphanumeric order

l Find – Use the textbox to search for a password

l Remove All – Deletes all character substituted passwords from the window

Substitutions Editor Window

The Substitutions Editor window is a global setting used across all EPE policies. Character substitutions and their associated replacements are stored in this editor as rules (i.e. A = @). The Words List Dictionary applies these rules when checking all permutations of a user entered password.

NOTE: All entries in the sequence column must be unique.

For example: If “Goal” is added to the Word List Dictionary and A=@ and O=0 are added to the substitutions editor, then the pending passwords of “Go@l” and “G0al” are going to be blocked.

Doc_ID 371 85

The Substitutions Editor has the following options:

l Import – Imports a full set of the character substitutions from a user specified file

l Export –Saves the current set of character substitutions to a user specified file

l Reset to default – Resets the character substitutions to the original list provided during installation. Any previous modifications are discarded.

l Insert – Displays a custom row for the user to enter in Sequence and Replacement values NOTE: The new row is inserted underneath the current highlighted row.

l Delete –Removes a single row from the Substitutions Editor list. Only one row can be deleted at one time.

Select OK to save changes and close the window.

Event Database Configuration Window The Events Database Configuration window manages the NVMonitorData database, also known as the Events Database. This window is opened through the Menu's Configuration > Database > Server option.

Doc_ID 371 86

This window is only available to SI Administrators.

The Events Database is originally configured when installing the SI Enterprise Manager Package. See the Installation Process of the StealthINTERCEPT Installation & Upgrade User Guide for additional information. This window displays the current connection settings for the Event Database.

To change the credentials and/or SQL Server host information, see the SI DB Connection Manager application in the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

Event Filtering Configuration Window The Event Filtering options are for excluding specific Active Directory and Authentication events from being monitored. A latency threshold can be set and generate alerts for AD Events. These features are set in the Menu’s Configuration > Event Filtering option.

This window is only available to SI Administrators.

Doc_ID 371 87

The filter options are grouped by AD Global Pre Filters, Authentication Global Pre Filters, and Alerts. Check the boxes to activate the filters. To disable for diagnostic purposes, simply uncheck the option(s) and click Save. All Authentication Global Pre Filters options require configuration before they can be enabled.

RECOMMENDED: Enable all of the AD Global Pre Filters options as well as the Exclude Logins from Machine Accounts option in the Authentication Global Pre Filters section.

When activated, the SI Agent(s) filters out the event data according to configuration defined in the filters.json file located in the installation directory of the Enterprise Manager.

Doc_ID 371 88

The ‘Help’ icon (?) opens a window which explains the type of “noise” events being filtered. Exclude ‘Noise’ Events Option

This option is enabled by default to filter out login and internal low level attributes which can be considered ‘noise’ events, resulting in a bloating of the database. This option can be scoped to include any combination to the following ‘noise’ events:

l Successful AD User Logins – Excludes events with the following attributes where ‘objectClass’ does not equal computer:

l logonCount

l lastLogon

l badPwdCount

l lastLogonTimestamp

l AD User Logins with Bad Password – Excludes events with the following set of attributes where ‘objectClass’ does not equal computer:

l badPwdCount

l badPasswordTime

Doc_ID 371 89

l AD Computer Logins – Excludes events with the following set of attributes where ‘objectClass’ equals computer:

l logonCount

l lastLogon

l badPwdCount

l lastLogonTimestamp

l badPasswordTime

l badPwdCount

l Low Level Attributes – Excludes the following attributes from event:

l ImPwdHistory

l dBCSPwd

l ntPwdHistory NOTE: Pre-4.2 SI Agents skip the objectClass-based filter sub-condition of the filter options above

Exclude AD DNS Events Option

This option is enabled by default to filter out DNS events. These events can result in a bloating of the database. They must meet both of the following conditions to be excluded:

l objectClass = ‘dnsNode’ or ‘dnsZone’

l Contains the ‘dnsRecord’ or ‘dNSTombstoned’ attribute NOTE: Pre-4.2 SI Agents ignore this filter.

When the DNS checkbox is unchecked, DNS record events display in a human-readable format within the Recent Events data grid of the Active Directory policy. In order to search these results, the Affected Object: Class can be set to equals dnsNode for the dnsRecord attribute to display.

Exclude Logins from Machine Accounts Option

This option is enabled by default to filter out machine logins. These events can result in a bloating of the database. Click the configure link to open the Edit Collection window.

Doc_ID 371 90

The Exclude Logins from Machine Accounts collection is only accessible for configuration through the Event Filtering Configuration window. Use the Add (+) button to open the Select Active Directory Perpetrators Window to browse for machine accounts or type in the textbox.

Only perpetrators with accounts ending in “$” are considered for this filter. Wild cards (*) can be used for partial matches to account names.

All machine accounts in the textbox are either included or excluded from event data monitoring by the SI Agent. Machine accounts not in the list have the unselected property applied.

Choose one of the following radio buttons to be applied to the list of account names:

l Pass to agent on match – Included and passed to the agent for event data monitoring. Machine accounts not in the list are excluded and ignored by the agent.

l Remove on match – Excluded and ignored by the agent. Machine accounts not in the list are included and sent to the agent for event data monitoring.

Repeat the process until all machine accounts to be included or excluded from Authentication event data have been entered in the list. Then click OK.

Usage Tip

Doc_ID 371 91

Windows Server 2012 introduced gMSA (Group Managed Service Accounts). The account names for gMSA accounts include “$” in their names so by default authentication traffic generated by these accounts is filtered out by SI because they ‘look’ like machine accounts which prior to Server 2012 were the only account names ending in “$”. The ability in SI to now add a list of filter strings to the “Exclude Logins from Machine Accounts” global filter provides a means to capture activity by gMSA type accounts as this activity is typically of interest where as true ‘machine accounts’ is not. By supplying either an explicit list of gMSA account names, or if a naming convention has been adopted, a set of wild card strings such as “gMSA*” or “svc*”, allows capturing authentication activity from such accounts while ignoring the noisy ‘machine accounts’.

Exclude Authentication Events from Selected Hosts Option

This option is disabled by default as it requires configuration before it can be enabled. Click the selected hosts link to open the Edit Collection window.

The Exclude authentication events from hosts collection is only accessible for configuration through the Event Filtering Configuration window. All three methods of identification for a host (IP Address, NETBIOS host name, or DNS host name) must be known in order to effectively exclude authentication from the host. Identify the host to be excluded in the textbox of the IP Address column and hit Enter or select the next row on the grid. StealthINTERCEPT attempts to discover the NETBIOS host name and the DNS host name associated with the supplied IP Address. If the host identification is not resolved or is inaccurate, manually type the information.

Repeat the process until all hosts for which Authentication event data will not be collected have been entered in the list. Then click OK. The Edit Collection window closes, and the Exclude Authentication Events from selected hosts option can be enabled.

Exclude Authentication Events from Selected Accounts Option

This option is disabled by default as it requires configuration before it can be enabled. Click the selected accounts link to open the Edit Collection window.

Doc_ID 371 92

The Exclude authentication events from accounts collection is only accessible for configuration through the Event Filtering Configuration window. Use the Add (+) button to open the Select Active Directory Perpetrators Window to browse for the desired accounts. Account names [domain name\account] can also be typed in the textbox. Wild cards (*) can be used as part of either the domain name or account. An asterisk (*) appearing anywhere other than as the first character or the last character are treated as a literal character instead of as a wild card. For example: *\Service1 would exclude all Service1 accounts whether it is a domain or local account, and Example\Service* would exclude all accounts that start with “Service” for the Example domain.

Repeat the process until all accounts to be excluded from Authentication event data have been entered in the list. Then click OK. The Edit Collection window closes, and the Exclude Authentication Events from selected accounts option can be enabled.

AD Events Latency Threshold Option

This option is disabled by default. It is used to generate alerts if the time delay between when an AD Event occurs and the time the Enterprise Manager receives it exceeds the specified latency threshold. This option is helpful for troubleshooting when experiencing slow connection in the environment. These events can result in a bloating of the database especially if the latency threshold is set too low.

Doc_ID 371 93

Select Send Latency Alerts to enable this option. Use the arrows, or type into the textbox, to set the number of minutes latency between the event and the agent receiving the event. When events exceed the timeframe, alerts display in the Alerts Interface. Email or SIEM alerts can be generated by selecting the Agent Latency checkbox in the SI System Alerting Window dialogue in the Operations tab.

Export Policies and Templates Window The Export Policies and Templates window is for configuring what is exported to the XML file. If opened through the Menu’s Tools > Export… option, then everything is exported. If opened via the keyboard shortcut (Alt+X) while within the Policies Interface or Templates Interface, it exports only what is within the selection. To export only a single policy or template, use the Policies Interface or the Template Node Right-Click Menu options.

Doc_ID 371 94

The Export Policies and Templates window includes the following options for customization.

l Collections:

l Export Collections – Check the box to activate the radio buttons:

l Export All Collections

l Export Only Collections Used in Policies and Templates

l Do Not Include Collection Items checkbox – Excludes collection items from the Collection export

Doc_ID 371 95

l Event Consumers and Alerts:

l Export All Event Consumers and Alerts – Exports all event consumers (actions) and alerts

l Export Only Event Consumers and Alerts Used in Policies and Templates – Exports only event consumers and alerts configured on the Actions Tab of enabled policies

l Options:

l Notes – Enter any information to be saved with the XML file

l Encrypt Sensitive Fields – When active, it provides a Password and Verify Password to be used as the encryption key

When the options are set as desired, click Export.

File Monitor Settings Windows The File Monitor Settings window is a global setting for managing log retention, the ability to disable office file filtering, inherited permissions for parent object changes, and AD accounts and file system activity processes for StealthINTERCEPT file monitoring and blocking policies. This window is set through the Menu’s Configuration > File Monitor Settings option.

This window is only available to SI Administrators.

The File Monitor Settings window as the following options:

l Logs retention period, days – Log retention period for activity logs (TSV files) created by the StealthINTERCEPT Agent for Windows servers or by the Stealthbits Activity Monitor Agent for NAS devices and then read by the StealthINTERCEPT Agent. This does not affect File System

Doc_ID 371 96

StealthAUDIT Event Types. StealthINTERCEPT Agents read logs in real time and retain the original logs for a set number of days before the logs are automatically deleted. This setting configures the log retention period for all enabled policies using the File System Changes and/or File System Lockdown event types. By default, it is set to 10 days.

l Microsoft Office temporary files filtering – Global setting that is selected by default. If checked, the temporary files associated with Microsoft office operations, such as copy, paste, etc., are not monitored. When unchecked, all the temporary files associated with Microsoft office operations are monitored.

l The FS inherited permissions – Reports separate events for the parent object and each child object. When checked, it reports an event only for the parent object.

l Exclude selected accounts – Deselected by default. When checked, the list of AD user and group names as well as well-known SIDs for built in users/groups are excluded from file system monitoring and blocking policies at a global level.

l Exclude Selected processes – Deselected by default. When checked, the user-supplied list of processes are excluded from the file system monitoring and blocking policies at a global level.

l Include Folder list / read operations – Deselected by default. When checked, all list/read folder operations are included in file system monitoring and blocking policies reporting at a global level.

Select Accounts to Exclude from Collections Follow the steps to select accounts to exclude from collections:

Step 1 – Navigate to the File Monitor Settings window through Menu's Configuration > File Monitor Settings option.

Step 2 – Check Exclude selected accounts checkbox and then select accounts. The Edit Collection window displays.

Doc_ID 371 97

Step 3 – Use the Add (+) button to open the Select Active Directory Perpetrators window to browse for AD accounts. Select OK to accept modifications.

Any accounts added to the list are excluded globally for file system activity.

The Exclude selected processes option is deselected by default. When checked, any file activity generated by the processes added will have their file system activity ignored.

Select Local Processes for Exclusion Follow the steps to select local processes for exclusion:

Step 1 – Navigate to the File Monitor Settings window through Menu's Configuration > File Monitor Settings option.

Step 2 – Check Exclude selected processes checkbox and then select processes. The Edit Collection window displays.

Doc_ID 371 98

Step 3 – Use the textbox to enter process names. Select OK to accept modifications.

Any processes added to the list will not have their file activity reported.

Import Window The Import window is for selecting the exported XML file to be imported and configuring the import settings. This window is opened through the Menu’s Tools > Import… option or via the keyboard shortcut (Alt+I).

Doc_ID 371 99

The Import window includes options for customization and filters to handle duplicate items.

In the Select Import File section, use the ellipsis (…) to browse for the XML file to be imported. Once selected, the Import File Details displays statistical information on what will be imported and notes from the exported file.

In the Destination Folders section, use the radio button to choose one of the following:

Doc_ID 371 100

l Place in Folders from Which They Were Exported

l Place in Specific Folders – Choose between the radio buttons:

l Place All in This Single Folder

l Maintain Folder Hierarchy from Which They Were Exported

l Then select the Folder Destination for Policies/Templates by using the appropriate ellipsis (…) to browse for the folder location within the Policy Center.

NOTE: This does not create new folder locations.

In the Collections section, use the radio button to choose one of the following:

l Create Collection with All Imported Items

l Create Empty Collection

At the bottom of the Import window is an option to Append Import Details to Modified Entries. If checked, this option appends the import information to a pre-existing item instead of overwriting it.

When the options are set as desired, click Import.

Password Safe Configuration Window The Password Safe Configuration window is a global setting for configuring multiple profiles with the appropriate credentials for accessing a third-party password safe such as Beyond Trust. The account checked out from a password safe must have rights on the machines targeted for the Agent actions. A Password Safe profile can be used within the Agents Interface for a number of Agent actions instead of entering in credentials directly. This window is set through the Menu’s Configuration > Password Safe option.

This window is only available to SI Administrators.

Profiles Tab The Profiles tab is where a Password Safe profile is configured. These profiles are the integration point between StealthINTERCEPT and a third-party password safe.

Doc_ID 371 101

Follow the steps to configure a password safe profile:

NOTE: Multiple profiles are supported.

Step 1 – Navigate to the Password Safe Configuration window by selecting the Menu's Configuration > Password Safe option. The Password Safe Configuration window opens.

Step 2 – On the Password Safe Configuration window, select the green plus button (+) on the Profiles tab or edit an existing profile by selecting it from the list. The Settings to the right are activated for configuration.

Step 3 – In the Settings group, configure the following:

l Profile Name – Name displayed in the Password Safe drop-down menus in the Agents Interface

l Public – When deselected, only the current user has access to the profile. When selected, the profile becomes available to all SI Administrators of the Console.

l Server URL – Enter the URL to connect to the third-party password safe

l API Key – Obtained from the third-party password safe application, such as Beyond Trust. This is how SI secures the connection between the application and console.

Doc_ID 371 102

l Ask on Action checkboxes – StealthINTERCEPT prompts the user at the time of a selected action (i.e. deploying an Agent) for profile and credential selection.

l Password Safe Account – The account used to access the password safe

l Login

l Password

l AD Admin Account to Check-out – The account being checked out of the password safe to be used with Agent actions

l Check-out Time – Requested time to check out and use the password safe credentials

l Auto Check-in – Returns credentials to the password safe after the Agent action is completed

l Take Ownership – Another SI Administrator can take control of a profile created by another user

Step 4 – Select Ok to save the profile or Cancel to discard pending changes.

A new or edited profile now displays in the list in the Profiles list.

Scripts Tab The Scripts tab is where the Retrieve Password, Check-out, and Check-in functions are configured for integration with a third-party password vault.

Doc_ID 371 103

For Beyond Trust integration, these functions are pre-populated and added to the ...Stealthbits\StealthINTERCEPT\SIEnterpriseManager\Scripts folder as its default path. Advanced users can create their own PowerShell scripts tailored to their environment.

SI System Alerting Window The SI System Alerting window is for configuring and managing all alerting avenues. This window is opened through the Menu’s Configuration > Alerts option, and is only available to SI Administrators.

Doc_ID 371 104

Alerts can be sent to recipients via email, to Windows Event Log, and to SIEM products. These alerts can be configured to send notification of SI Security events, SI Operations events, SI Configuration events, Analytic incidents, and Policy events. Email and SIEM alert notifications of policy events can be enabled either through this window or from the Actions Tab of a policy’s configuration. However, in order to enable email and SIEM alert notifications, configuration must first be set through this window. From within the Policy Center, the Alerts Interface allows SI users to quickly view recent alerts in a centralized location.

Email and SIEM alert notifications for Analytic incidents can be configured within this window to send Ongoing Attack Alerts. When checked, SI sends periodic reminders of an ongoing attack if it continues after the initial notification has been sent.

Below are some considerations:

l Occasionally a Microsoft Security Bulletin impacting LSASS can interfere with the SI Agent instrumentation resulting in LSASS shutting down. The SI Agents are confused to monitor for an LSASS process termination shortly after a server reboot. The LSASS process terminated SI Operations Alert is triggered in this event and the SI Agent is stopped. If this occurs, it requires the SI Administrator to take action as all monitoring/blocking by that SI Agent will be stopped. RECOMMENDED: Activate an Email Notification for this alert.

See the LSASS Process Terminated section for additional information.

Doc_ID 371 105

l In addition to the LSASS process termination check, the SI Agent can be configured for a Safe Mode. When enabled, the SI Agent records the version of all DLLs it hooks into in LSASS during installation. When an SI Agent is restarted, it compares the DLL versions with the recorded list. If the versions do not match, the Windows AD Events monitoring module is not loaded. The agent’s Status in the Agents interface changes to Active (Modules Pending), and all Active Directory monitoring/blocking by that SI Agent will be stopped. If this occurs, it requires the SI Administrator to take action. The Agent Started in AD Monitor pending mode SI Operations Alert is triggered in this event. RECOMMENDED: Activate an Email Notification for this alert.

See the How To Enable Agent Started in AD Monitor Pending Mode Email Alert and the SI Agent Safe Mode sections for additional information.

Email Tab Alert notification via email sends messages through an SMTP Gateway. Alerts are designed to send email notifications to individuals or groups who need the same information. When the Message Profile is modified for an alert, all policies referencing the alert uses the updated information. Follow the steps to configure the Email tab of the SI System Alerting window:

Step 1 – Configure the following prior to enabling email alerting:

l Configure SMTP Host Information – Configuration of this section is required before the following actions can be preformed:

l Exporting data from the data grid within the SI Admin Console

l Export reports within the SI Reporting Console

l Schedule reports within the SI Reporting Console

l Create Message Profiles – Use the Configure section of the Email tab to configure a message profile in either a plain text or HTML format.

Step 2 – Once configured, navigate to the Events section of the Email tab. Decide what events receive notifications and assign one or more profiles to the event.

Doc_ID 371 106

Step 3 – Click the button [1] in front of Disabled to toggle the setting to Enabled.

Step 4 – Select the event category [2] (Security, Operations, Configuration, Analytics, Policies) from the list on the left.

Step 5 – Check the desired event/incident/policy [3] that triggers email notifications from the center list.

Step 6 – Assign the desired Message Profile from the list [4] provided in the drop-down menu to the right of the selected event.

l For Policies, multiple Message Profiles can be assigned by either checking the desired profile(s) or (Select All).

There is no limit to how many events a Message Profile can be assigned.

l For Analytics, choose whether or not to enable Ongoing Attack Alerts.

Step 7 – Click OK in the drop-down menu to confirm the selection.

Step 8 – Repeat Steps 2-5 as desired. Then click OK at the bottom of the SI System Alerting window to save the assignment of profiles. The SI System Alerting window closes.

Doc_ID 371 107

The SI Admin Console now sends email notifications for the selected events/incident/policies to the recipients of the selected Message Profiles.

Configure SMTP Host Information Follow the steps to configure the SMTP Host information for email alerting.

Remember, this only needs to be done once in order to enable email alerts for both the SI Admin Console and the SI Reporting Console.

Step 1 – On the Email tab, select Configure.

Step 2 – In the Server box, provide the SMTP Host as either the IP Address or the hostname of the SMTP gateway.

l Example: 192.168.189.56 or SIM1.Stealthbits.com

Step 3 – For the Port box provide the appropriate port number.

Step 4 – The Enable SSL checkbox provides the option to use SSL communications for email. Check the box to enable this option.

Doc_ID 371 108

Step 5 – For the From box provide the email address to be used as the sender for the email.

l Example: [email protected]

Step 6 – If the SMTP Gateway requires authentication, check the Requires Authentication checkbox and provide a Login and Password with the appropriate level of credentials in the textboxes that appear.

Step 7 – Click OK on the SI System Alerting window to save the configured SMTP Host information.

Once the window closes, create the Message Profile(s).

Create Message Profiles Message Profiles are associated with events for email alerting. Follow the steps to create a Message Profile.

Doc_ID 371 109

Step 1 – On the Email tab, select Configure.

Step 2 – In the Message Profiles box, click the Add (+) button to create a New Email Notification Profile. The default profile name (New Email Notification) displays.

RECOMMENDED: Provide a unique and descriptive name for this new email notification profile.

Doc_ID 371 110

Plain Text Format HTML Format

Step 3 – Configure the following for the Message Profiles section:

l To – Provide an email address for each recipient of the email alert. This can be individuals, distribution lists, or a combination. To send alerts to multiple recipients, separate the addresses with either a comma (,) or a semi-colon (;)

l Example: [email protected]; [email protected]

l Send Test Email – Use to send a test email. It sends an unformatted sample message to all recipients. StealthINTERCEPT tells the SI user if the message is successfully sent, but is not able to tell if it was received.

l Subject – Keep the default email subject or provide a descriptive one that fits the alerts these recipients receive.

The default email subject is: Stealthbits StealthINTERCEPT Event Notification.

l Format – Choose between Plain Text and HTML email options. Changing the message template provides the option to load the default message template. The Email Template window displays when selecting either radio button.

Doc_ID 371 111

Changing the message template provides the option to load the default message template. Choose between:

l Yes – Loads the default message template for the selected format. This overwrites the current message template.

l No – Leads the current message Body

CAUTION: The tokens used within the message Body, the information between and including the % symbols (e.g. %TIME_STAMP%), must be present to retrieve that event data from the database. Tokens can be removed, but partial tokens do not retrieve data from the database.

Step 4 – The Body box contains the default message, which includes all event data types available for notification. To customize for the specific alerts, simply remove the Event Data Fields not desired. Customization can also include reformatting the message as desired. The default message is:

l Plain Text – An event has occurred in which you are on the notification list.

l HTML – The following Event has occurred at %TIME_STAMP% for which you requested notification:

The available Event Data Fields and their associated tokens are;

Event Data Field Token

Time Stamp %TIME_STAMP%

Event Source Type %EVENT_SOURCE_TYPE%

Domain Name %EVENT_SOURCE_NAME%

Policy Name %SETTING_NAME%

Event Name %EVENT_NAME%

Doc_ID 371 112

Event Data Field Token

Event Name Translated %EVENTNAMETRANSLATED%

Originating Server % ORIGINATING_SERVER%

Originating Server IP %ORIGINATING_SERVERIP%

Target Host %TARGETHOST%

Target Host IP %TARGETHOSTIP%

Class Name %CLASS_NAME%

DN %DN%

Affected Object SID %AFFECTED_OBJECT_SID%

Affected Object Account Name %AFFECTED_OBJECT_ACCOUNT_NAME%

Operation Successful %SUCCESS%

Operation Status %STATUS%

Blocked Event %BLOCKED_EVENT%

Perpetrator %PERPETRATOR%

Perpetrator Name %PERPETRATOR_NAME%

Perpetrator Sid %PERPETRATOR_SID%

Originating Client %ORIGINATING_CLIENT%

Originating Client Host %ORIGINATINGCLIENTHOST%

Originating Client IP %ORIGINATINGCLIENTIP%

Doc_ID 371 113

Event Data Field Token

Originating Client Protocol %ORIGINATINGCLIENTPROTOCOL%

Originating Client MAC %ORIGINATINGCLIENTMAC%

Events Count %EVENTS_COUNT%

Attribute Values %ATTRIBUTE_VALUE%

Old Attribute Values %OLD_ATTRIBUTE_VALUE%

Attribute Operations %OPERATION%

Repeat this process to create as many Message Profiles as desired.

Step 5 – Click OK on the SI System Alerting window to close and save Message Profile settings. Now that at least one Message Profile has been configured, it can be assigned to an event either through the SI System Altering window’s Email Tab or assigned to a policy on the Actions Tab of the Policy Configuration.

Event Log Tab Alert notification via Event Log sends event notifications to the Windows Event Log. Follow the steps to enable Event Log Alerting.

Doc_ID 371 114

Step 1 – Click the button [1] in front of Disabled to toggle the setting to Enabled.

Step 2 – Select the event category [2] (Security, Operations, Configuration) from the list on the left.

Step 3 – Check the desired event(s) [3] that trigger Windows Event Log notifications from the list in the center.

Step 4 – Then click OK at the bottom of the SI System Alerting window to save the configuration. The SI System Alerting window closes.

The Windows Event Log now receives alert notifications for the checked events.

SIEM Tab Alert notification via SIEM sends event notifications to a SIEM product using UDP or TCP protocol. Before SIEM alerting can be enabled, the SIEM server must be configured. Follow the steps to set up what events receive notifications.

Step 1 – Navigate to the Configure section of the SIEM tab and Configure SIEM Server.

Step 2 – Once configured, navigate to the Events section of the SIEM tab.

Doc_ID 371 115

Step 3 – Click the button [1] in front of Disabled to toggle the setting to Enabled.

Step 4 – Select the event category [2] (Security, Operations, Configuration, Analytics, Policies) from the list on the left.

The Configure SIEM Server options allows SI Administrators to set a SIEM Mapping File for each type of event category.

Step 5 – Check the event/incident/policy [3] that triggers SIEM notifications from the center list.

Step 6 – Select the desired SIEM profile [4] to send alerts to.

l For Analytics, choose whether or not to enable Ongoing Attack Alerts.

The SI Admin Console now sends SIEM notifications for the selected events/incidents/policies.

Configure SIEM Server Multiple profiles can be created across SIEM servers to serve different alerting functionalities. Follow the steps to configure one or more SIEM servers for alerting.

Doc_ID 371 116

UDP Protocol TCP Protocol

Step 1 – On the SIEM tab, select Configure.

Step 2 – (Optional) In the SIEM Profiles section, select the Add (+) button to create a New SIEM Profile. To rename the default text, select the name string and enter the new profile name.

RECOMMENDED: For each profile, use a unique name for easy identification.

Step 3 – For the Protocol box, use the drop-down menu to select either protocol:

l UDP

l TCP – If selected, the option Require SSL/TLS activates. If desired, check this box and ensure the certificate is saved in the certificate store.

Step 4 – For the Host Address box provide either an IP Address or server name for the SIEM server.

Step 5 – For the Port box provide the appropriate port number to communicate with the SIEM server.

Doc_ID 371 117

Step 6 – For the Mapping File for Events box, use the drop-down menu to select the SIEM product which will be receiving policy event notifications. The gear icon to the right of the drop- down arrow allows SI Administrators to import a custom mapping file. These mapping file formats are specifically designed for policy events.

Step 7 – For the Mapping File for System Alerts box, use the drop-down menu to select the SIEM product which will be receiving SI Security, SI Operations, and SI Configuration event alerts.

The gear icon to the right of the drop-down arrow allows SI Administrators to import a custom mapping file. These mapping file formats are specifically designed for SI system events.

Step 8 – For the Mapping File for Authentication Analytics box, use the drop-down menu to select the SIEM product which will be receiving Authentication Analytics incident alerts.

The gear icon to the right of the drop-down arrow allows SI Administrators to import a custom mapping file. These mapping file formats are specifically designed for Analytics incidents.

Step 9 – (Optional) Use the Test button to confirm the configuration settings.

Once a SIEM server is configured, assign events to send alerts through the SI System Alerting window’s Email Tab or assigned to a policy on the Actions Tab of the Policy Configuration.

IBM® QRadar® Integration

Stealthbits has created a custom app for integration between StealthINTERCEPT and QRadar. See the Stealthbits Active Directory App for QRadar User Guide for information on downloading this app from the IBM X-Force Exchange, installing this app into an organization’s QRadar, and using the dashboards. See also the Stealthbits File Activity Monitor App for QRadar User Guide. See Appendix A for QRadar Mapping File information.

Splunk® Integration

Doc_ID 371 118

Stealthbits has created custom apps for integration between StealthINTERCEPT and Splunk. See the Stealthbits Active Directory App for Splunk User Guide and the Stealthbits Threat Hunting App for Splunk User Guide for information on downloading this app from the Splunkbase, installing this app into an organization’s Splunk, and using the dashboards. See also the Stealthbits File Activity Monitor App for Splunk User Guide.

Adding a Custom SIEM Mapping File Custom SIEM mapping files can be added. First create the mapping file, and then save it in an accessible location to the SI Admin Console. The default mapping files are stored in the following folder: …\Stealthbits\StealthINTERCEPT\SIWinConsole\SIEMTemplates

Follow the steps to add a custom SIEM Mapping File.

Step 1 – Click the gear icon next for the alert type to be configured in order to open the SIEM Templates window. The new mapping file is only made available for the alert type selected.

Doc_ID 371 119

Step 2 – Click the Add (+) icon to open the Import SIEM Mapping File window.

Step 3 – Navigate to the desired mapping file and click Open. The SIEM Mapping File window closes.

Doc_ID 371 120

SIEM Template Window Mapping File Drop-down Menu

Step 4 – The new mapping file appears in the SIEM Templates window and is now available in the drop-down menu. Click Close.

The new mapping file can now be selected from the drop-down menu for the selected alert type. Repeat Steps 1-4 to add the new mapping file to other alert types.

StealthDEFEND Configuration Windows The StealthDEFEND Configuration window is a global setting for enabling the integration between StealthINTERCEPT and StealthDEFEND. This window is only available to SI Administrators.

The features of this window were not introduced in a single release of StealthINTERCEPT and StealthDEFEND. Refer to the list below for the minimum versions required for the specified configuration feature and its tab to display in the SI Console.

l Event Sink Tab – Released with StealthINTERCEPT v6.0 and StealthDEFEND v2.0

l Honey Token Tab – Released with StealthINTERCEPT v7.1 and StealthDEFEND v2.5

l Forged PAC Tab – Released with StealthINTERCEPT v7.3 and StealthDEFEND v2.6

The StealthDEFEND App Token authenticates connection between StealthINTERCEPT and StealthDEFEND. The StealthDEFEND App Token is generated within StealthDEFEND:

l Navigate to the Configuration > App Tokens page

l Generate a new app token

l Copy the Token

Doc_ID 371 121

See the App Token section of the StealthDEFEND User Guide for additional information on setting up StealthINTERCEPT integration.

Event Sink Tab The StealthDEFEND Event Sink tab connects StealthINTERCEPT to StealthDEFEND through a uniform resource identifier and the StealthDEFEND App Token. Policy event data is sent to StealthDEFEND through this window.

Follow the steps to configure StealthINTERCEPT to send event data to StealthDEFEND.

Step 1 – Generate the StealthDEFEND App Token in StealthDEFEND.

Step 2 – Within StealthINTERCEPT, navigate to Menu > Configuration and select the StealthDEFEND Event Sink option. The StealthDEFEND Event Sink window opens.

Step 3 – On the StealthDEFEND Event Sink window, configure:

CAUTION: Do not use localhost for the hostname or 127.0.0.1 for the IP address.

Doc_ID 371 122

l StealthDEFEND URI – Enter the StealthDEFEND hostname or IP address and port in the following format. The default port for StealthDEFEND is 10001.

l amqp://[HOSTNAME | IPADDRESS]:[PORT]

l For an example with the host name – amqp://ExampleHost:10001

l For an example with the host address – amqp://192.168.9.52:10001

l App Token – App Token generated on the App Tokens page in StealthDEFEND

l Policies – Shows all Policies that exist in the Policies Interface.

l Send – Selected enabled Policies send their event data to StealthDEFEND directly from the SI Agents. This option can also be set by the Send to StealthDEFEND checkbox on the Actions Tab.

l State – Displays whether or not the policy is enabled or disabled The State column does not control the state of the checked Policy. These policies can be enabled or disabled either at the Policies Interface or through the Policies Node Right-Click Menu.

l Name –Shows the display name of the Policy as written in the Policies Interface.

l Path – Displays the path of the Policy within the structure of the Policies Interface.

Step 4 – Click Save.

All real-time event data from the selected StealthINTERCEPT policies are now being sent to StealthDEFEND.

The StealthDEFEND URI configuration can also be used to send SI policy data to the Stealthbits Activity Monitor host and port (example: localhost:4498). StealthINTERCEPT can only send to either StealthDEFEND or the Stealthbits Activity Monitor. See the Active Directory Configuration Guide for additional information.

Honey Token Tab The Honey Token tab specifies which samAccountName is substituted with the samAccountName defined in the Honey Token tab. The information on this tab is sent to the SI Agent. If the agent sees an LDAP query using information from the Honey Token of fake accounts, it alters the LDAP query results to return the Replacement samAccountName. This ensures the account looks like a real privileged account to lure the perpetrator to it.

Doc_ID 371 123

Follow the steps to send the Honey Token to StealthDEFEND for an LDAP Deception trap.

Step 1 – Configure the Source samAccountName and Replacement samAccountName in a StealthDEFEND Honey Token threat.

See the StealthDEFEND User Guide for additional information.

Step 2 – Ensure the Event Sink tab is properly set up to send event data to StealthDEFEND.

Step 3 – Select the Enable LDAP substitution checkbox to enable the options.

Step 4 – Enter the exact match of settings configured for the StealthDEFEND Honey Token threat for the following options:

l Exact Match or Substring

l Source samAccountName

l Replacement samAccountName

Step 5 – Click Save to close the window.

The Honey Token is now enabled and ready and integrated with StealthDEFEND.

Doc_ID 371 124

See the Configure LDAP Monitoring for StealthDEFEND section to configure an SI policy accurately for Honey Token LDAP Monitoring.

Forged PAC Tab The Forged PAC tab provides the option to include Forged PAC information in the event(s) StealthINTERCEPT sends to StealthDEFEND.

Follow the steps to include the Forged PAC information in events:

Step 1 – Under the Analytics node in the Policy Center, select theForged PAC analytic.

Step 2 – On the Forged PAC analytics window, select the gear icon on the upper-right hand corner of the window to open up the Configure Analytics window.

Step 3 – Add or remove the desired RIDs groups on the Settings tab. When adding, the Select Active Directory Groups window opens. Connect and browse for the desired RID groups that will, once selected, be added to the group for this analytic.

Step 4 – On the Policy tab, configure the following:

Doc_ID 371 125

l General Tab – Use the toggle to Enable the policy

l Event Type Tab – Keep the default settings or set as desired for the Authentication event filters

l Actions Tab – Select Send to StealthDEFEND

Step 5 – Click Save once configurations are set. The Configure Analytics window closes.

Step 6 – Navigate to the Configuration menu and in the drop-down, select StealthDEFEND Configuration. The StealthDEFEND Configuration window opens.

Step 7 – On the StealthDEFEND Configuration window, set the desired StealthDEFEND URI and App Token if not done so already. Then navigate to the Forged PAC tab and select Include Forged PAC information in event. Click Save.

When a Forged PAC analytic is triggered in StealthINTERCEPT, the event data will now be sent to StealthDEFEND.

Users and Roles Window The Menu’s Configuration > Users option opens the Users and Roles window.

This window is only available to SI Administrators.

Doc_ID 371 126

This is a security feature for controlling access to the SI Admin Console and the SI Reporting Console. The user account which ran the installation is automatically set as an SI user with the role of Administrator. This is the only active SI user until more are added. With this security feature, no unauthorized accounts can open the SI Admin Console or the SI Reporting Console.

There are three roles which can be applied to an SI user:

l Administrator – Includes Console Operator and Report User functionality

l Console Operator – Includes Report User functionality

l Report User – Access to the SI Reporting Console only

SI Reporting Console Rights

Doc_ID 371 127

Console Administrator Report User Operator

Log into the SI Reporting Console ü ü ü

Create Reports ü ü ü

Edit or Delete Reports ü Only If Owned Only If Owned

Save Changed Report Parameters ü* Only If Owned Only If Owned

Schedule Reports ü ü ü

Receive Scheduled Reports ü ü ü

Access Admin Menu (to upload ü û û report template files)

*If an Administrator changes report ownership of a report they do not own, a System Alert is generated.

SI Admin Console Rights

Console Administrator Report User Operator

Log into the SI Admin Console ü ü û

Create Policies and Policy ü ü û Templates

View, Edit, or Delete Unprotected ü ü û Policies

View, Edit, or Delete Protected According to According to û Policies Folder Folder Permissions Permissions

Doc_ID 371 128

Console Administrator Report User Operator

Protect Policies at the Folder ü ü û

Change Protected Folder ü* û û Permissions

Set or Modify SI Admin Console ü û û Configuration Settings

SI Agent deployment & ü û û management

Add or Remove SI Users ü û û

Modify SI User Access Rights ü û û

LDAP Operations Center ü û û

*If an Administrator changes permissions on protected policies they do not own, a System Alert is generated.

See the Policies Interface section for information on protected and unprotected policies.

It is necessary for the SI user to have the following minimum of permissions on the SQL Server databases, both the NVMonitorConfig and NVMonitorData databases, according to the assigned role:

l Administrator Role

l Read/Write data

l If using Database Maintenance Window – SA rights are required

l If using Database Partitioning Window – Create partitioning schema, partition functions, and modify schema

l Console Operator Role

l Read/Write data

Add SI Users

Doc_ID 371 129

Follow the steps to add SI user and assign access rights.

Step 1 – Navigate to the Menu's Configuration > Users to open the Users and Roles window.

Step 2 – Click the Add (+) button in the upper-right corner and the Select Users or Groups window opens. Browse for the user in Active Directory. Then click OK. The Select Users or Groups window closes and the new SI user is added to the Windows User or Group list.

Doc_ID 371 130

Step 3 – At the bottom of the Users and Roles window, assign the access rights by selecting the desired checkbox. Any included right(s) are automatically checked.

l For example, Checking Console Operator automatically checks Report User role as well.

Step 4 – (Optional) Repeat this action as many times as desired before selecting Ok. None of the role changes are acknowledged until the settings have been saved.

Step 5 – Click Ok to finalize any changes on the Users and Roles window.

The SI User(s) now have the appropriate access rights applied.

Modify SI User Assigned Rights Follow the steps to modify an SI user’s assigned rights.

Doc_ID 371 131

Step 1 – Navigate to the Menu's Configuration > Users to open the Users and Roles window.

Doc_ID 371 132

Step 2 – Select the SI user whose assigned rights are to be modified. Grant a higher right by checking the desired level. Limit the rights by checking the desired level twice. The first click deselects all checkmarks; the second click assigns the new right. Alternatively, deselect undesired right(s).

Step 3 – (Optional) Repeat this action as many times as desired before selecting Ok. None of the role changes are acknowledged until the settings have been saved.

Step 4 – Click Ok to finalize any changes on the Users and Roles window.

The SI User(s) now have the appropriate access rights updated.

Users and Roles Window The Menu’s Configuration > Users option opens the Users and Roles window.

This window is only available to SI Administrators.

Doc_ID 371 133

There are three roles which can be applied to an SI user:

l Administrator – Includes Console Operator and Report User functionality

l Console Operator – Includes Report User functionality

l Report User – Access to the SI Reporting Console only

SI Reporting Console Rights

Doc_ID 371 134

Console Administrator Report User Operator

Log into the SI Reporting Console ü ü ü

Create Reports ü ü ü

Edit or Delete Reports ü Only If Owned Only If Owned

Save Changed Report Parameters ü* Only If Owned Only If Owned

Schedule Reports ü ü ü

Receive Scheduled Reports ü ü ü

Access Admin Menu (to upload ü û û report template files)

*If an Administrator changes report ownership of a report they do not own, a System Alert is generated.

SI Admin Console Rights

Console Administrator Report User Operator

Log into the SI Admin Console ü ü û

Create Policies and Policy ü ü û Templates

View, Edit, or Delete Unprotected ü ü û Policies

View, Edit, or Delete Protected According to According to û Policies Folder Folder Permissions Permissions

Doc_ID 371 135

Console Administrator Report User Operator

Protect Policies at the Folder ü ü û

Change Protected Folder ü* û û Permissions

Set or Modify SI Admin Console ü û û Configuration Settings

SI Agent deployment & ü û û management

Add or Remove SI Users ü û û

Modify SI User Access Rights ü û û

LDAP Operations Center ü û û

*If an Administrator changes permissions on protected policies they do not own, a System Alert is generated.

See the Policies Interface section for information on protected and unprotected policies.

It is necessary for the SI user to have the following minimum of permissions on the SQL Server databases, both the NVMonitorConfig and NVMonitorData databases, according to the assigned role:

l Administrator Role

l Read/Write data

l If using Database Maintenance Window – SA rights are required

l If using Database Partitioning Window – Create partitioning schema, partition functions, and modify schema

l Console Operator Role

l Read/Write data

Doc_ID 371 136

Copyright 2021 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED StealthINTERCEPT® Policy Center The Policy Center is the primary interface of the SI Admin Console. It is divided into two sections: the Navigation pane and the Display area.

The Navigation pane provides interface options and the Display area displays the selected interface. The following interface options are available:

l Agents Interface

l Alerts Interface

l Investigate Interface

l Analytics Interface

l Policies Interface

l Templates Interface

l TAGS Node

Doc_ID 371 137

Remember, the Investigate, Analytics, Policies, Templates, and TAGS nodes in the Navigation pane can be expanded and collapsed by double-clicking the left mouse button.

Agents

The Agents interface provides data about the SI Agents within the environment. This includes what domain the agent is in, what machine it is deployed on, its current status, and other details. This interface also indicates if a domain controller does NOT have an SI Agent deployed on it. Through this interface, SI Agents can be deployed, updated, and managed; logging levels can be configured; logs can be accessed; and agent information can be exported.

Alerts

The Alerts interface provides information on the SI Security events, SI Operations events, and SI Configuration events. All events are displayed by default. However, they can be filtered, sorted, and searched.

Investigate

The Investigate interface is a reporting tool for the SI Admin Console. It provides information on recent events monitored or blocked by any enabled policy. By default, all events recently monitored or blocked are available. However, the events can be filtered to particular policies, perpetrators, time frames, domains, servers, computers, events, etc.

Analytics

The Analytics interface is a front-line warning tool for detecting incidents in real-time based on patterns within collected event data indicative of potential security risk. It provides information on incidents identified by the analytic policies.

Policies

The Policies interface provides a central location for creating and configuring all policies. The policies are listed in the Display area when the Policy node is selected. Within the Navigation pane the policies are organized into folders. By default, the folder structure is comprised of but not limited to three folders: Auditing, Blocking, and Notifications. These are the three most common types of policies enabled by SI users. Policies can be configured to monitor or block Windows Active Directory Events, Windows Exchange Server 2010, 2013, and 2016 Events, Windows File System Events, NetApp File System Events, EMC File System Events, and Group Policy Objects Events.

Doc_ID 371 138

A folder can be protected which controls access to any policy within the folder. A protected policy cannot be viewed, edited, or deleted by other SI users without explicit permissions being granted.

Templates

The Templates interface provides a central location for creating and configuring all policy templates. Like the Policies interface, a list of all policy templates available is displayed in the Display area when the Templates node is selected. Policy templates must also be stored within a folder. There are SI pre-created policy templates which can be imported.

TAGS

The TAGS node provides an organizational feature for templates. Many preconfigured templates have tags which enable users to quickly find a desired template though various groupings. Tags do not create a duplicate template, but rather display the template in different folders under the TAGS node.

Within these interfaces are several right-click menus and additional features designed to improve the SI user’s experience. Navigation Pane Right-Click Commands

The Policies node, Templates node, folders, policies, and templates have different right- click commands available within the Navigation pane.

From the Agents node, the right-click menu can be used to install SI Agents:

Right-Click Command Description

Install Agent Opens the Deploy Agents window

Doc_ID 371 139

From the node of a saved ‘Filtered Investigate’ view, the right-click menu can be used to delete the saved view:

Right-Click Command Description

Delete Delete the selected, saved ‘Filtered Investigate’ view

From the Policies and Templates nodes, the right-click menu is limited to adding new folders to the selected section:

Right-Click Command Description

New — Folder (Crtl+F) Create a new folder in the selected location

From the Folder node, the right-click menu contains the following commands:

Doc_ID 371 140

Right-Click Command Description

New — Policy (Crtl+P) Create a new policy in the selected location. Only available for folders under the Policies node.

New — Template Create a new template in the selected location. Only available (Crtl+T) for folders under the Templates node.

New — Folder (Crtl+F) Create a new folder in the selected location

Rename Opens a textbox to rename the selected folder

Remove Delete the selected folder

Paste Pastes a copied policy/template into the selected folder

NOTE: If the current SI user does not have Manage Policies permissions for a protected policy, these options are grayed-out. See the Policies Interface section for additional information on protection.

From the Policies and Templates nodes, the right-click menu contains the following commands:

Doc_ID 371 141

Right-Click Command Description

Rename Opens a textbox to rename the selected policy/template

Remove Delete selected policy/template

Enable Enable the selected policy. Only available for policies.

Disable Disable the selected policy. Only available for policies.

Copy Copies the selected policy/template

Cut Copies the selected policy/template. Then it deletes the selected policy/template when the copy is pasted to a new folder.

From the Tags node, the right-click menu contains the following commands:

Doc_ID 371 142

Right-Click Command Description

Refresh Refresh tag folders to display new tags or templates newly associated with an existing tag

From the template within a folder under the Tags node, the right-click menu contains the following commands:

Right-Click Command Description

Copy Copies the selected template

Data Grid Functionality

Result data provided through several interfaces within the SI Admin Console employ a data grid view with features for sorting, filtering, searching, and more.

Doc_ID 371 143

Above the data grid there is the Group by Box [1] ribbon that impacts how much data is displayed. Additionally, the Refresh [2] button populates the data grid with the current information according to the selections. Columns can be reordered as desired as well as removed from the data grid. Removed columns can be added back through the Customization window. See the Data Grid Right-Click Menu section for additional information.

Many data grids also contain an Export [3] button. This provides different export options according to what interface the button is associated with. See the Export Data section for additional information.

The Search [4] icon opens up the Enter text to search… textbox where all matching columns to the search display as highlighted text in the data grid. The Auto Filter Row [5] uses comparison operators to filter the grid against a single attribute. Data Grid Right-Click Menu

There is also a right-click menu within the data grid accessed from the column headers.

Doc_ID 371 144

It contains the following selections:

Right-Click Command Description

Full Expand Expands all sections within the data grid. Only available from a grouped column header.

Full Collapse Collapses all sections within the data grid. Only available from a grouped column header.

Sort Ascending Sorts data by selected column in alphanumeric order (A-Z)

Sort Descending Sorts data by selected column in alphanumeric order (Z-A)

Clear Sorting / Clear All Removes sorting from selected column or removes Sorting sorting from all columns

Sort by Summary (Count by Sort ‘grouped’ data by severity count in ascending [column] – Sort or descending order. Only available from a Ascending/Descending) grouped column header.

Doc_ID 371 145

Right-Click Command Description

Group by This Column / Groups data or clears grouping of data by selected UnGroup/Clear Grouping column

Hide/Show Group by Box Hides or shows the Group By Box where headers can be dragged-and-dropped to group the data

Group Interval If grouped by the Time column, use the menu to group by time intervals (Day, Month, Year, Smart). Only available from a grouped column header.

Hide This Column Hides selected column from the data grid. Hidden columns can be returned to the data grid through the Column Chooser option.

Column Chooser Opens the Customization window (see explanation of window below)

Best Fit Changes column width to fit the data within the selected column

Best Fit (all columns) Changes column width for all columns to fit the data

Filter Editor Opens the Filter Editor window (see the Filter Data section)

Show / Hide Find Panel Shows or hides the Find Panel which is the search feature (see the Searching Data section)

Hide / Show Auto Filter Hides or shows the Auto Filter Row between the Row column headers and the first row of event data

Doc_ID 371 146

Column Chooser Window

Within the right-click menu, select Column Chooser to open the Customization window used to customize the data grid to only display specific columns. This window lists column(s) that were removed from the data grid display. Remove columns by either dragging it off the screen or by dropping it into this window.

A column not currently displayed can be returned to the data grid by double-clicking on it in this window or by dragging-and-dropping it from this window onto the header row.

Sort Data

The data can be grouped by columns using the Group by Box ribbon above the data grid.

Doc_ID 371 147

Drag a column header into the Group by Box area to. Grouping can be for a single header or for tiered headers.

The data can also be sorted alphanumerically ascending or descending by clicking on a column header. An arrow displays in the right corner of the column header indicating the type of sorting.

Filter Data

Doc_ID 371 148

There are a few methods available for filtering data within data grids. There can only be one active filter per column.

l Auto Filter Row [A] – Uses the comparison operator to filter the grid against a single attribute

l Filter Statement Bar [B] – Displays enabled filter statements at the bottom of the Display area

l Filter Editor [C] – Build complex filter statements with multiple operators and column filters

l Pin Icon [D] – Opens a filtration dialogue that provides the user with multiple types of filtration options such as column values, text filters, and date filters associated with the column data

The Auto Filter Row is located between the header row and the first event of the data grid. Typing a single attribute in any of these boxes or selecting an attribute from a dropdown menu filters the data grid for matches within that column and the selected comparison operator.

The Alerts grid does not display the Auto Filter Row by default. It must be selected through the grid’s Show Auto Filter Row option from the right-click menu.

Doc_ID 371 149

When a filter is enabled, the filter statement bar displays at the bottom of the Display area. The X to the far left of the bar clears the filter. The checkbox for the filter on the left affects the scoping of the filter.

On the right side of the filter statement bar is an option to Edit Filter. Clicking this option opens the Filter Editor window, which allows the SI user to build complex filter statements. It can employ multiple comparison operators and/or multiple column filters.

Doc_ID 371 150

A small pin icon displays in the upper-right corner while hovering over a column header or if an Auto Filter Row filter is enabled. Click the pin icon to open additional filtration options in a filter dialogue. Depending on the column selected, one or two of the following filtration options display in the filter dialogue:

Example of a Values Filter Custom Filter

l Values – Displays for every column in the selected data grid. Multiple values can be selected.

l Text/Numeric – This display is linked to the Auto filter Row filter with the addition of three new filtration options including a custom filter option

l Date – Calendars with date timestamps display this filter with an array of scoping options including a custom filter

l Custom Filter – Found within Text filters, this filter creates an AND or OR statement between two filtered comparison values

Searching Data

The Find Panel is the feature that enables the option to search for data. It displays on the right side of the data grid with a magnifying glass icon. It can also be accessed through the Data Grid Right-Click Menu to Show Find Panel.

Doc_ID 371 151

Find Panel Icon Find Panel Search Bar

This feature allows SI users to search the data in the grid for matches to the search text and filters the data grid to only display the matches. The drop-down arrow in the textbox provides a history of recent searches for quick reference.

Type the search criteria and click Find. The data grid filters to events where the search criteria is matched, highlighting the match.

Click Clear to clear both the search criteria and the filtered view. The X at the far left of the panel closes the Find Panel.

Export Data

The data grids provide an option to export data.

Doc_ID 371 152

Data grids on the Agents interface and an Analytic data grid exports all available data from the selected data grid to a CSV file. Clicking the Export button from these interfaces opens a Save As window.

l Clicking the Export button from the Alerts interface opens the Alerts Export window. See the Alerts Interface section for additional information on this window.

l Clicking the Export button from the Investigate interface or the Recent Events tab of a policy opens the Export window.

NOTE: Ensure that all desired filters are set on the data grid before clicking export.

Doc_ID 371 153

The Export window provides options for what is exported and what action(s) to take. In the Export options section, choose between two radio buttons for the Columns and Rows subsections.

For Columns, the exported data can show Visible Columns Only or All Columns. For Rows, the exported data can show All Rows or Filtered Only. See the Customization window information in the Data Grid Right-Click Menu section for details on selecting what columns are visible in a data grid.

In the Export Actions section select how it will be exported. Check the boxes for Save File Locally and/or Email to and populate the corresponding fields. For the Save File Locally action, provide a path and file name for the CSV file or use the Browse button to open a Save As window. For the Email to action, provide an email address for each recipient, which can be individuals, distribution lists, or a combination and separating multiple recipients with either a comma (,) or a semi-colon (;).

NOTE: The Email to action requires the SMTP Host Information to be configured. This can only be done by an SI Administrator through the SI System Alerting window on the SI System Alerting Window.

When the settings are configured as desired, click Export to complete the action(s). Remember, this window is opened on the Investigate interface and/or the Recent Events tab of a policy.

Agents Interface The Agents interface allows SI users to quickly view, deploy, and manage all SI Agents from a centralized location to the targeted domain controllers in a domain. SI Agents must be deployed on all domain controllers that the SI user wants to receive event data for. Once one or more SI Agent(s) are deployed to a domain, it becomes known as a targeted domain.

The Agents data grid includes a list of information on each targeted domain where an SI Agent is deployed to a domain controller.

Doc_ID 371 154

In the upper-right corner of the data grid is the SI Agent tally, indicating the number of Active agents as well as the Total number of deployed agents.

The data grid for the Agents interface includes the following information for each SI Agent:

l Domain – Targeted Active Directory domain

l Machine – Server where the SI Agent is deployed. Hover over data in this column to view the following date/time stamps:

l Last Agent to Manager Communication – Last change event sent from the SI Agent to the Enterprise Manager

l Last Agent Heartbeat – Last time the Enterprise Manager received a heartbeat from the deployed SI Agent

l AD Event Latency – Time difference between when the event occurred and the Enterprise Manager receives it

When the Send Latency Alerts option is enabled in the Event Filtering Configuration Window, a warning symbol displays to indicate excessive latency.

l Operating System – Version of the Windows operating system for the machine where the SI Agent is deployed, including service pack information

Doc_ID 371 155

l Status – Indication of the SI Agent’s current status

l Active (green) – SI Agent is actively monitoring/blocking events and communicating with the Enterprise Manager

l Active (Modules Pending) – SI Agent is active, but the Windows AD Events module has not been loaded due to Safe Mode. See the SI Agent Safe Mode section for additional information.

l Stopped (orange) – SI Agent has been stopped and is not monitoring/blocking events

l Lost Connection (red) – SI Agent is not actively communicating with the Enterprise Manager

l No Agent (gray) – a domain controller has been found within the targeted domain and an SI Agent is not yet deployed

l Address – IP Address location of the SI Agent, hover over data in this column to view the IP Address with port (default port for the SI Agent is 3136)

l Version String – SI Agent build version

l If the SI Agent’s version is older than the current version available to the SI Admin Console, it is highlighted. This indicates an upgrade is recommended.

l Hover over data in this column to view a listing of the agent’s configured settings. This information includes identification of which modules are running and which are pending (for Safe Mode).

l UTC Offset – Local server time zone relationship to the Universal Time (UTC)

l Last Events – Number of events reported by the SI Agent in that last notification to the Enterprise Manager

l Events In Queue – Count of events the SI Agent is waiting to send to the Enterprise Manager

Doc_ID 371 156

l AD Agent – Indicates if the SI Agent is running in Normal Mode or Safe Mode. Unknown for older agents.

l Is Signed – Indicates if the SI Agent is Signed or Unsigned. Unknown for older agents.

l Free Space – Amount of free space on the drive StealthINTERCEPT is installed on. This column reports for v7.0+ Agents and displays as an unknown for all previous Agent versions.

l Agent Last Stopped – Date timestamp for when the SI Agent was last stopped

l Build Time Stamp – Date timestamp for when the SI Agent version was created

l Features – Features available for the SI Agent and its configured modules

l FQDN – Fully-qualified domain name of the machine where the SI Agent is deployed

l Last Heartbeat – Date timestamp for the last time the SI Agent communicated with the Enterprise Manager. This should occur every five minutes.

l Modules – Event sources loaded and running on the SI Agent

l Platform – Operating system platform for the machine where the SI Agent is deployed

The data grid has several options that impact the displayed information. See the Data Grid Functionality section for additional features available within the grid view.

Above the data grid are actions that can be taken from within the Agents interface:

Icon Label Action

Saves the information to an XML file for export Export Agent List…

Refreshes the SI Agent information Refresh Agent List…

Configures the Log Levels for the SI Agent(s). It Update Logging Levels… opens the Log Level Configuration Window.

Accesses SI Agent log files. See the Access SI Get Agent Log… Agent Log Files section for additional information.

Check with Stealthbits for a newer version of the Update Agent Installer SI Agent Installer according to the version in use

Doc_ID 371 157

Icon Label Action

(signed or unsigned). It opens the Agent Installer Update Window.

If enabled, an SI Agent automatically deploys to all domain controllers without an SI Agent. This feature requires at least one SI Agent to be Configure Auto Deploy present in the domain in order to detect additional domain controllers. It opens the Configure Auto Deploy Window.

Deploys SI Agents to selected servers. It opens Install Agent the Deploy Agents Window.

Below are some considerations:

See the LSASS Process Terminated section for additional information.

See the How To Enable Agent Started in AD Monitor Pending Mode Email Alert and the SI Agent Safe Mode sections for additional information.

Doc_ID 371 158

Deploy Agents Window The Deploy Agents window incorporates a mixture of the following sub-windows that are used to complete the Agents Interface Right-Click Menu actions. Depending on the right-click menu action being performed, certain windows are used.

The list and links below outline the window configuration options and their purposes.

l Enter Credentials Window – Certain right-click menu options only use this window when performing actions

l Select Computers Window – Select the Host and/or IP Addresses of the targeted machines

l Set Options Window – Configure the properties of the SI Agent being deployed or modified

l Credential Verification Window – Verifies credentials or initiates a prerequisite check for Agents NOTE: This window changes names depending on the type of action being performed.

l Status Window – Performs the action and displays whether or not the action performed successfully. See the section for additional information. NOTE: This window changes names depending on the type of action being performed.

For steps on how to complete the right-click menu options, see the Agents Interface Right-Click Menu section for additional information.

Computers targeted for SI Agent deployment must minimum .NET Framework version needed by yhe SI Agent already installed or the deployment fails. Remember to check server requirements before deploying an SI Agent, including compatibility with other security products. See the SI Agent Compatibility with Non-Stealthbits Security Products section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

The SI Admin Console can be installed with a signed or un-signed installation package. If the SI Admin Console is installed with a:

l Signed installation package, then the agent being deployed also employs a signed installation package.

l Un-signed installation package, then the agent being deployed also employs an un-signed installation package.

The SI Agent installation package can be replaced to use the alternative version. See the Replace SI Agent Installation Package section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

Doc_ID 371 159

NOTE: This window does not block access to the SI Admin Console, so while it is open a link is visible on the Agents Interface. Click the link to bring this window to the front.

With the release of StealthINTERCEPT v7.0, the API used for Enterprise Manager communications between the SI Agents has changed from .NET Remoting to gRPC. This new certificate based encryption and authentication API means that after an upgrade from pre-v7.0 to v7.0, all SI Agents must be upgraded to v7.0, then managed by the v7.0 Console.

NOTE: Although the v7.0 Console displays the pre-v7.0 Agents on its interface, it cannot manage them. Instead, the new console can only uninstall or upgrade them.

See the Upgrade Procedure section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

Configurable features in the Deploy Agents window are outlined in the sections below. For steps on how to execute the right-click menu options, see the Agents Interface Right-Click Menu section for additional information.

Enter Credentials Window The Enter Credentials window opens for several of the Agent interface right-click menu items. In order to perform centralized SI Agent maintenance from the SI Console server, WMI must be enabled on the machine where the SI Agent is installed.

The Credentials used to execute these commands must have enough rights to query information about shares on the target machine. The Enter Credentials window has the following options:

l Login

l Password

l User Password Safe – If the Password Safe Configuration Window is configured, check the box and select the desired profile from the drop-down menu.

See the Agents Interface Right-Click Menu section for additional information on these requirements.

Doc_ID 371 160

NOTE: Closing the SI Admin Console while this action is in process causes problems with data collection.

Select Computers Window The Deploy Agents window's Select Computer window provides three methods for selecting computers where SI Agent(s) can be deployed:

l Add Single Host

l Add from AD

l Add from File

Any combination of these three methods can be used to select computers.

l Add Single Host – Manually enter and select the Host name or IP Address. Use the double- arrow button to add it to the deployment list.

Doc_ID 371 161

l Add from AD – Browse the domain's computer objects (Domains and Computers).

l Domain to Browse – Displays the domain in which the Enterprise Manager resides. If unpopulated, type the desired domain in the textbox.

l List of Hosts/IP Addresses – Populates with computers found in Active Directory

l Add to Deployment List (>>) button – Adds the desired computer(s) to the deployment list

NOTE: Multiple computers can be selected and moved to the deployment list. Checking a top- level node automatically selects all child objects.

Doc_ID 371 162

l Add from File – Imports a CSV with comma-separated values or text file with the list of computers

l Text File to Read – Displays the path to the file. The text file should be a list of computer names or IP Addresses with carriage returns.

l Open – Displays a file explorer used to navigate to the desired file

l List of Hosts/IP Addresses – Populates with computers from the read text/CSV file

The computers added to the Deploy Agents to These Computers box are now pending SI Agent deployment. Once the wizard completes, the credentials used will either allow or deny an SI Agent to be deployed on the machine(s). Once the list in the Deploy Agents to These Computers box is complete, you can continue through the wizard to deploy SI Agents.

Doc_ID 371 163

NOTE: The Deploy Agents window does not block access to the SI Admin Console and can be minimized while actions are in progress. If this window is hidden by clicking outside of the dialogue box, a flashing blue link displays on the upper right-hand corner of the interface with the action name displaying. Clicking this link brings back the focus of the Deploy Agents window.

CAUTION: Closing the SI Admin Console while this action is in process causes problems with data collection.

If the server where the SI Agent is deployed has multiple network adapters (multi-homed), then it is necessary to bind the SI Agent to an adapter that can communicate with the Enterprise Manager. See the Troubleshooting within the SI Admin Console section for additional information.

Set Options Window The Set Options Window is used during SI Agent deployment and during update procedures to configure SI Agent properties and functionality once deployed or re-deployed.

The SI Agent is configured to “Enable DNS Host Name Resolutions” by default during deployment. Depending on the event type, the SI Agent may see some but not all of the following information:

l NetBIOS name

l Fully Qualified Domain Name

l IP Address

The Additional Options have the following options and functionality.

When the Enable DNS Host Name Resolutions option is enabled, the SI Agent looks up the missing data. This provides more uniform data, but may have a performance impact on the machine where the SI Agent is deployed, especially if name resolution is not handled locally by that machine.

The Set Options window provides the opportunity to modify SI Agent settings after deployment. Use this option to modify credentials, Enterprise Manager information, modules, DNS host name resolution, and/or safe mode for the selected SI Agent(s).

The Keep Existing Settings box is checked by default. When unchecked, the Set Options window does not show current configurations, as multiple SI Agents could have been selected to be updated; rather the items checked or cleared represent the state to which the selected agents are set. The current state and configured options can be viewed within the hover over tool tip on the Version String column of the Agents interface data grid. The AD Agent column in the Agents interface data grid indicates the agent’s mode.

Doc_ID 371 164

If this window is opened through the Agents Interface Right-Click Menu, the list is auto-populated with the computer(s) selected on the Agents interface.

The Set Options page provides the following options:

l Use These Credentials – Credentials to be used for deployment on the selected computers.

l Username – Must be in the DOMAIN\Username format

l Password – Username password

l Use Password Safe – Choose and use the Password Safe account credentials. See the Password Safe Configuration Window section for additional information.

l Enterprise Manager – IP Address/Name and Port where the Enterprise Manager is located

l Modules to Install – Identifies additional modules for the identified computers that will be installed:

l Windows AD Events – Installs the StealthINTERCEPT for Active Directory Solution & StealthINTERCEPT for LDAP Solution

l Windows File System – Installs the StealthINTERCEPT for File System Solution

Doc_ID 371 165

l Exchange Server Monitoring – Installs the StealthINTERCEPT for Exchange Solution

l Windows Event Logs – Deprecated functionality for v7.0+ SI Agents

l Agent Upgrade

l Upgrade Installed Agent – If the identified computers already have an SI Agent deployed, this option upgrades Agents for an older version

l Preserve Agent Settings – Upgrades the Agent version without changing settings

l Agent Service

l Safe Mode – SI Agent checks LSASS versions upon start up. Any changes in LSASS since the previous start prevents the monitoring modules from loading. See the SI Agent Safe Mode section for additional information.

l Use local Pwned hash DB – A local copy of the Pwned hash database is sent to the Agent after installation from the Enterprise Manager. Any updates to the database are sent from the Enterprise Manager to the Agent(s) as long as the Agent service is enabled.

l Start Agent Service – Starts the StealthINTERCEPT Agent service on host after installation NOTE: If the Agent Service is not started at the time of deployment, the SI Agent requires a manual start or will be started automatically after a server reboot. Until the SI Agent is started, no activity is monitored or blocked.

l Firewall Rules

l Create Windows Firewall Rules – Creates firewall rules on the identified computers for Agent communication

l Installation Location

l Install to default location – Install the SI Agent on the machine to the default location or a specified location.

If checked, the SI Agent is installed in the default location: ...\Stealthbits\StealthINTERCEPT\SIWindowsAgent.

If unchecked, specify the desired installation location, e.g. d:\myagent.

Doc_ID 371 166

The selected installation location is applied to all computers where SI Agents are being deployed in this session (as specified on the Select Computers page of the Deploy Agents window). Once these settings are configured as desired, the SI Agent is ready for deployment on the selected machines.

Remember, the selected machines are configured through the Select Computers Window.

Credential Verification Window On the Credential Verification window, StealthINTERCEPT checks to ensure the credentials provided successfully allow deployment after right-click menu actions are performed. This window changes names depending on the action being performed.

After the action is run, the status registers as either Success or Fail. Select a host to view the full Message in the box at the bottom of the window. In addition to confirming access, StealthINTERCEPT also verifies the target machine has the minimum .NET Framework version needed by yhe SI Agent already installed or the deployment fails.

Status Window

Doc_ID 371 167

The Status Window performs the desired action and displays a successful or failed status. This window changes names depending on the type of action being performed.

It displays the working and completed status of the action. Depending on whether the Host is deployed successfully, the Message column displays a failed message with additional text or a successful message if the Agent is deployed correctly.

Agents Interface Right-Click Menu There is also a right-click menu for each row within the data grid. Any options unavailable for the selected SI Agent are grayed-out.

Doc_ID 371 168

The Agents Interface Right-Click menu contains the following selections. The links provided below bring the user to the step by step instructions for that menu option action. See the Deploy Agents Window section for information on the individual window options.

Right-Click Command Description

Install Agent See the Install SI Agents section for additional information on deploying an SI Agent.

Uninstall Agent See the Uninstall SI Agent section for additional information on uninstalling an SI Agent.

Upgrade Agent See the Upgrade Agent section for additional information on upgrading an existing deployed SI Agent.

Update Agent Settings See the Agent Installer Update Window and the Update Agent Settings sections for additional information on updating a deployed SI Agent's settings.

Start Agent See the Start Agent section for additional information on starting a previously stopped SI Agent.

Stop Agent See the Stop Agent sections for additional information on

Doc_ID 371 169

Right-Click Command Description

stopping an Active SI Agent.

Start Pending Modules See the SI Agent Safe Mode and the Start Pending Modules sections for additional information.

Harden Agent See the Harden Agent section for additional information.

Soften Agent See the Soften Agent section for additional information to soften a previously hardened SI Agent.

Remove Server from List See the Remove Server from List section for additional information on removing an SI Agent from the Agents Interface list.

Clear SQLite Agent Queue CAUTION: These events are permanently deleted and are not processed by the Enterprise Manager upon reconnection. This option is for diagnostic and troubleshooting purposes only.

See the Clear SQLite Agent Queue section for additional information on clearing the SQLite SI Agent Queue.

The Credentials used to execute these commands must have enough rights to query information about shares on the target machine. A local administrator account on the targeted machine should have access to the system shares.

See the Open Firewall Port Information section of the StealthINTERCEPT Installation & Upgrade User Guide for the default ports required for WMI communication.

SI Agent Right-Click Menu Configurations

Doc_ID 371 170

For certain actions, multiple SI Agents listed in the data grid can be selected for one action. The appropriate right-click menu options won't be grayed out if multi-selection is available for the desired action. SI Agents must be in the same state in order to complete a multi-select action. (i.e. all selected Agents must be stopped to use the Start action).

On the Agents Interface, the following actions are available via these right-click menu options:

l Install SI Agents – Deploys SI Agent(s) to the desired machines

l Uninstall SI Agent – Removes a previously deployed SI Agent

l Upgrade Agent – Upgrades the selected SI Agent to a newer version

l Update Agent Settings – Updates SI Agent settings, such as the modules or Enterprise Manager address. On the Set Options page, the option to disable DNS Host Name Resolution is no longer grayed out and can be checked if desired.

l Start Agent– Starts SI Agent on selected machine(s)

l Stop Agent – Stops SI Agent on selected machine(s)

l Start Pending Modules – Starts SI Agent monitoring modules which were not started with the agent due to a change in LSASS (only available on SI Agents configured to use Safe Mode)

l Harden Agent – Protects the SI Agent from being altered, stopped, or started from within the local Service Control Manager

l Soften Agent – Unlocks the SI Agent so it can be controlled from within the local Service Control Manager

l Remove Server from List – Removes a server from the Agent data grid. If the server has a deployed SI Agent, it will be added back to the list the next time the agent sends information to the Enterprise Manager. CAUTION: These events are permanently deleted and are not processed by the Enterprise Manager upon reconnection. This option is for diagnostic and troubleshooting purposes only.

l Clear SQLite Agent Queue – When the SI Agents are unable to communicate with the Enterprise Manager, SI Agent events queue up in the Agents local SQLite database until the Enterprise Manager is available to accept events. This option dumps the queue and all pending events are lost.

Install SI Agents Follow the steps to deploy an SI Agent to a new or existing machine.

Doc_ID 371 171

Step 1 – On the Agents Interface, select the Install Agent (+) button on the right-hand corner of the interface. For a previously uninstalled Agent that needs to be re-installed, select the Install Agent right-click menu option on that machine in the grid. The Select Computers window opens.

Step 2 – On the Select Computers window, add the hosts to the Deploy Agents to These Computers box using one of the three tab methods. See the Select Computers Window section for additional information. Click Next.

If this window is opened through the Agents Interface Right-Click Menu right-click menu action, the list is auto-populated with the computer(s) selected on the Agents interface.

Step 3 – On Set Options page, enter the Username and Password of the credentials required to deploy the SI Agent on the selected machine(s) or select a Password Safe. Review the Enterprise Manager IP Address/Name and Port for accuracy and select the desired modules to install on this Agent.

See the Set Options Window section for additional information.

Step 4 – Once configurations are set, click Next.

Step 5 – On the Access Verification page, the credentials provided on the Set Options window either succeed or fail during a prerequisites or verification check.

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin installing the SI Agent

l If some but not all items Fail, it is possible to click Next to continue the action on those where access verification was Successful.

NOTE: Closing the SI Admin Console while this action is in process causes problems with data collection.

Step 6 – The Status page tracks the deployment process. To stop the deployment process on any machines that have not yet started deployment, click Cancel. The Close button changes to a Finish button once all SI Agents are deployed.

Step 7 – When the task is successfully completed, click Finish to close the window.

The SI Agents' status displays as Active when the deployment installation is completed.

Doc_ID 371 172

Uninstall SI Agent Follow the steps to uninstall a deployed SI Agent through the Agents Interface:

Step 1 – On the Agents Interface, right-click the desired SI Agent to uninstall.

Step 2 – From the right-click menu, select Uninstall Agent. The Enter Credentials window opens.

Step 3 – On the Enter Credentials window, enter the login and password credentials. If the Password Safe Configuration Window is configured, check the box and select the desired profile from the drop-down menu. Click OK.

Step 4 – On the Access Verification page, the credentials provided on the Set Options window either succeed or fail during a prerequisites or verification check.

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin uninstalling the SI Agent

l If some but not all items Fail, it is possible to click Next to continue the action on those where access verification was Successful.

NOTE: Closing the SI Admin Console while this action is in process causes problems with data collection.

Step 5 – The Status page (Uninstall Agent) displays whether or not the right-click menu action was successful or failed.

Step 6 – When the task is successfully completed, click Finish to close the window.

The SI Agents' status displays as uninstalled. At any point, the Install Agent menu option can be used to restart the SI Agent on that machine.

Upgrade Agent Follow the steps to upgrade a deployed SI Agent through the Agents Interface:

Step 1 – On the Agent's Interface, select the desired SI Agent and on the top toolbar, select Update Agent Installer. The Agent Installer Update window opens. See the Agent Installer Update Window for additional information.

Doc_ID 371 173

Step 2 – On the Agent Installer Update window, select Check for Newer Version of the SI Agent Installer button. The green bar indicates the progress of checking the SI Agent for a newer version. The Agent Installer displays the Agent Installer update version required. Click Apply Update.

Remember, when an SI Agent is out-of-date, the Version String column number has an orange background.

Step 3 – Right-click the desired out-of-date SI Agent to upgrade.

Step 4 – From the right-click menu, select Upgrade Agent. The Enter Credentials window opens.

Step 5 – On the Enter Credentials window, enter the login and password credentials. If the Password Safe Configuration Window is configured, check the box and select the desired profile from the drop-down menu. Click OK.

Step 6 – On the Access Verification page, the credentials provided on the Set Options window either succeed or fail during a prerequisites or verification check.

l Change Settings – Upgrade an SI Agent with the existing settings. Use this button to alter settings in addition to upgrading the SI Agent. Opens the Set Options Window when selected.

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin upgrading the SI Agent

l If some but not all items Fail, it is possible to click Next to continue the action on those where access verification was Successful.

NOTE: Closing the SI Admin Console while this action is in process causes problems with data collection.

Step 7 – On the Status page, the old SI Agent will be uninstalled and the newer version of the SI Agent installed. One of two status messages display:

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin updating the SI Agent on the Updating settings window

Doc_ID 371 174

Step 8 – When the task is successfully completed, click Finish to close the window.

The Agents' status displays as Upgraded.

Update Agent Settings Follow the steps to Update Agent Settings to a deployed SI Agent through the Agents Interface:

Step 1 – From the right-click menu, select Update Agent Settings. The Select Computers window opens.

Step 2 – On the Select Computers window, the SI Agent is automatically added to the Update Agent settings on These Computers box. Click Next. The Set Options window opens.

Step 3 – On the Set Options window, ensure the proper credentials, modules, and Enterprise Manager location are accurate alongside additional options. To make changes to the window settings, uncheck the Keep Existing Settings box. Make necessary updates as needed.

See the Set Options Window section for additional information.

Step 4 – On the Access Verification page, the credentials provided on the Set Options window either succeed or fail during a prerequisites or verification check. Click Next.

Step 5 – On the Status page, the Agent will be stopped and restarted. One of two status messages display:

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin updating the SI Agent on the Updating settings window

Step 6 – When the task is successfully completed, click Finish to close the window.

The SI Agents' status displays as Update Settings either completed or failed.

Start Agent Follow the steps to Start a stopped SI Agent, that had been previously deployed, through the Agents Interface:

Step 1 – On the Agent's Interface, right-click the desired SI Agent to start.

Doc_ID 371 175

Step 2 – From the right-click menu, select Start Agent. The Enter Credentials window opens.

Step 4 – On the Status page, the Agent will be started from its previous state of being stopped. One of two status messages display:

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin restarting the SI Agent

The SI Agents' status displays as Start Completed.

Stop Agent Follow the steps to Stop a deployed SI Agent through the Agents Interface:

Step 1 – On the Agent's Interface, right-click the desired SI Agent to stop.

Step 2 – From the right-click menu, select Stop Agent. The Enter Credentials window opens.

Step 4 – On the Status page, the Agent will be stopped and restarted. One of two status messages display:

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin stopping the SI Agent

Doc_ID 371 176

The SI Agent's status displays as Stop Completed.

Start Pending Modules If an SI Agent was deployed using the Safe Mode option, then it could enter a Start Pending Modules state. This requires the SI Administrator to approve starting of the Active Directory module due to a change in the DLL versions.

RECOMMENDED: If multiple DCs are in the Start Pending Modules state, this means one of the monitored system DLLs was changed from when the SI Agent was last run. This could impact the operation of the SI Agent. It is recommended to enable the pending modules on one DC initially and verify StealthINTERCEPT is collecting events as expected from this specific DC and that the DC appears to be stable before starting the pending modules on additional DCs.

Follow the steps to Start Pending Modules.

Step 1 – On the Agent's Interface, right-click the desired SI Agent to Start Pending Modules for. The SI Agent will have Active (Modules Pending) as a Status when there are pending modules.

Step 2 – From the right-click menu, select Start Pending Modules.

Step 3 – The Starting window displays.

Step 4 – Once the pending modules are installed, the status displays as Active.

The pending modules are now started.

Harden Agent Follow the steps to Harden a deployed SI Agent through the Agents Interface:

Step 1 – On the Agent's Interface, right-click the desired SI Agent to harden.

Step 2 – From the right-click menu, select Harden Agent. The Enter Credentials window opens.

Step 4 – On the Access Verification page, the credentials provided on the Enter Credentials window either succeed or fail during a prerequisites or verification check.

Doc_ID 371 177

l Failed – Read the failure messages and select Cancel to close the window and ensure any error messages are taken care of prior to the next attempt.

l Completed – Click Next to begin hardening the SI Agent

l If some but not all items Fail, it is possible to click Next to continue the action on those where access verification was Successful.

NOTE: Closing the SI Admin Console while this action is in process causes problems with data collection.

Step 5 – On the Status page, one of two status messages display:

l Failed – Read the failure messages and select Cancel.

l Completed

Step 6 – When the task is successfully completed, click Finish to close the window.

The SI Agent's status displays as Harden Completed.

Soften Agent Follow the steps to Soften a deployed SI Agent that has been previously hardened through the Agents Interface:

Step 1 – On the Agent's Interface, right-click the desired SI Agent to soften a previously hardened the SI Agent.

Step 2 – From the right-click menu, select Soften Agent. The Enter Credentials window opens.

Step 4 – On the Access Verification page, the credentials provided on the Enter Credentials window either succeed or fail during a prerequisites or verification check.

l Failed – Read the failure messages and select Cancel to close the window and ensure any error messages are taken care of prior to the next attempt.

l Completed – Click Next to begin softening the SI Agent

Doc_ID 371 178

l If some but not all items Fail, it is possible to click Next to continue the action on those where access verification was Successful.

NOTE: Closing the SI Admin Console while this action is in process causes problems with data collection.

Step 5 – On the Status page, one of two status messages display:

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed

Step 6 – When the task is successfully completed, click Finish to close the window.

The SI Agent's status displays as Soften Completed.

Remove Server from List Follow the steps to Remove Server from List through the Agents Interface:

Step 1 – On the Agent's Interface, right-click the desired SI Agent to remove from the server list.

Step 2 – From the right-click menu, select Remove Server from List.

The SI Agent is automatically removed from the list.

Clear SQLite Agent Queue Follow the steps to Clear SQLite Agent Queue for a deployed SI Agent through the Agents Interface:

CAUTION: These events are permanently deleted and are not processed by the Enterprise Manager upon reconnection. This option is for diagnostic and troubleshooting purposes only.

Step 1 – On the Agent's Interface, right-click the desired SI Agent to clear the SQLite agent queue from.

Step 2 – From the right-click menu, select Clear SQLite Agent Queue. The Enter Credentials window opens.

Doc_ID 371 179

Step 4 – On the Access Verification page, the credentials provided on the Set Options window either succeed or fail during a prerequisites or verification check.

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed – Click Next to begin clearing the SQLite Agent Queue

l If some but not all items Fail, it is possible to click Next to continue the action on those where access verification was Successful.

NOTE: Closing the SI Admin Console while this action is in process causes problems with data collection.

Step 5 – On the Status page, one of two status messages display:

l Failed – Read the failure messages and either click Back to provide new credentials or click Finish to close the window and ensure any error messages are taken care of prior to next attempt

l Completed

Step 6 – When the task is successfully completed, click Finish to close the window.

The SQLite Agent Queue is automatically cleared.

Log Level Configuration Window The Log Level Configuration window displays the current log levels and allows the SI user to set new SI Agent, Enterprise Manager, and Administration Console log levels. Select Update Logging Levels… on the Agents top menu bar to access this window.

Doc_ID 371 180

Configure the following options on the page to update the logging level:

l Active Agent List – Below is the data grid displaying active SI Agents data in these columns:

l Platform

l Domain

l Machine Name

l Agent Address

l Version

l New Agent Log Level – Choose between the file log levels:

l Debug – Records everything that happens, most verbose level of logging

l Info – Records information on the steps that occur, in addition to warnings and errors

Doc_ID 371 181

l Warn – Records all warnings that occur, in addition to errors

l Error – Records all errors that occur

l Fatal – Records only when catastrophic system failures/crashes occur No matter what log level is selected, the logs have a maximum cap size of 55 MB. When a log file reaches 50 MB, it is closed and a new file is started. No more than ten closed files (50 MB) are kept. When the eleventh file reaches 50 MB, the oldest closed file is overwritten.

l Enterprise Manager Log Level and Administration Console Log Level sections have the following information:

l Current Level

l New Level – Use the dropdown menu to select the new log level

l Build

l Time Stamp

Whenever changes are made in this window, click Update Log Levels to save the configuration settings and enable the new log levels at the specific locations.

Access SI Agent Log Files Follow the steps to access the SI Agent Log files.

Step 1 – From within the Agents interface, select the desired agent and click Get Agent Log… .

Doc_ID 371 182

Step 2 – The Save As window opens with the selected SI Agent’s log already selected from its original location. Select the new location and click Save.

A copy of the log file can now be viewed without navigating to its location on the server where the SI Agent is deployed.

Access the Enterprise Manager & Administration Console Log Files The Enterprise Manager and Administration Console log files are stored on the SI Enterprise Console server (where the SI infrastructure was installed). These files are stored in the following locations:

Enterprise Manager Log Files

Doc_ID 371 183

The default location is: …\Stealthbits\StealthINTERCEPT\SIEnterpriseManager\logs

Administration Console Log Files

The default location is: …\Stealthbits\StealthINTERCEPT\SIWinConsole\logs

Doc_ID 371 184

SI Agent Safe Mode In order for the SI Agent to collect real-time activity data, it hooks into (intercepts) specific Microsoft API’s in the LSASS process. Below are some considerations:

See the LSASS Process Terminated section for additional information.

See the How To Enable Agent Started in AD Monitor Pending Mode Email Alert and the SI Agent Safe Mode sections for additional information.

NOTE: Most Microsoft Security Bulletins that alter LSASS will not interfere with SI Agent instrumentation.

Active Directory monitoring/blocking will not resume until the pending modules are started. To determine if the LSASS changes will conflict with the SI Agent instrumentation, start the pending modules on one domain controller using the right-click menu Start Pending Modules option. If there are no issues after five minutes, it is unlikely that the changes are conflicting with the SI Agent instrumentation. If there are any concerns about the changes, reach out to Stealthbits Support for more information. Stealthbits tests Microsoft Security Bulletins affecting LSASS prior to their becoming public and sends notifications to SI users when an issue is identified.

When the pending modules are started, the recorded versions of all DLLS the agent hooks into in LSASS are overwritten with the current versions.

Doc_ID 371 185

CAUTION: While enabling Safe Mode on an SI agent will ensure the LSASS process will not be terminated by StealthINTERCEPT, it will prevent the Active Directory monitoring/blocking module from loading EVERY TIME key LSASS DLLs are changed until the SI Administrator starts the pending modules.

How To Enable Agent Started in AD Monitor Pending Mode Email Alert Follow the steps to enable email notifications of the Agent Started in AD Monitor pending mode SI Operations Alert.

NOTE: These steps require the StealthINTERCEPT Administrator user role. They also assume that the SI System Alerting Window has been configured and Email alerts have been enabled.

Step 1 – Navigate to the Menu's Configuration > Alerts. The SI System Alerting window opens.

Step 2 – On the SI System Alerting window's Email tab, select Configure.

Step 3 – Create a Message Profile for the safe mode notification with the recipient(s) to be notified when the AD modules are pending. See the SI System Alerting Window section for additional information.

Doc_ID 371 186

Step 4 – Select Events, and then Operations on the left. Check the Agent Started in AD Monitor pending mode event alert and assign (select from drop-down menu) the Message Profile created in Step 2. See the SI System Alerting Window section for additional information.

Step 5 – Ensure that the Email alerts are Enabled and click OK.

When the Agent Started in AD Monitor pending mode event alert is triggered, an email notification is sent to the assigned (Step 2) recipient(s).

Agent Installer Update Window Stealthbits periodically releases updated SI Agent installation packages, both signed and unsigned. Typically these updates are associated with Microsoft KB’s (hot-fixes) which alter the LSASS components interfering with the SI Agent instrumentation. See the StealthINTERCEPT Agent Information section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information.

This feature requires an internet connection from the SI Admin Console server. It may be necessary to allow the following URL in the browser security settings:

l For SI 7.3 (standard SI Agent Installer) – https://downloads.Stealthbits.com/access/files/StealthINTERCEPT/7.2.0/Agents/SI Agent.exe

l For SI 7.3 (signed SI Agent Installer) – https://downloads.Stealthbits.com/access/files/StealthINTERCEPT/7.2.0/Agents/SI Agent (signed).exe

The Update Agent Installer option in the Agents interface opens the Agent Installer Update window.

Doc_ID 371 187

Choose between checking for the latest version of the type of SI Agent installer currently in use and checking for the other type of SI Agent, signed or unsigned. Check the Switch to Signed Installer box or the Switch to Unsigned Installer to switch the type of agent installer used by the SI Admin Console.

Click Check for Newer Version of the SI Agent Installer. StealthINTERCEPT downloads the SI Agent from a static URL where Stealthbits stores the latest SI Agent installation package. After download, the SI Agent installer currently in use is compared to the installer downloaded.

l If the versions are the same, the message specifies Agent Installer is up-to-date… and displays the SI Agent version number. Click Close and the Agent Installer Update window closes.

l If the downloaded version is newer, the message displays both version numbers and provides an option to apply the update. Click Apply Update and the Agent Installer Update window closes.

NOTE: The installer used by SI is replaced with a newer version, and all agents’ versions in the Agents interface are highlighted to indicate they are not the current version. Agents should then be updated to the new version, using the right-click menu Upgrade Agent option.

Configure Auto Deploy Window

Doc_ID 371 188

The Configure Auto Deploy window opens from the Configure Auto Deploy button in the Agents interface. It enables users to automatically deploy SI Agents to discovered domain controllers in a domain where at least one SI Agent has already been deployed.

The Enable Auto Deploy checkbox enables the following sections:

l Agent Install Package Source – Select the radio button to indicate where the SI Agent installation package to be used is located:

l Default – Uses the SI Agent installation package included with the SI Admin Console

l Textbox – Enter the path to the desired SI Agent installation package or use the ellipsis (…) to browse for the path

l Credentials – Provide the credentials to be used for deployment on all discovered domain controllers

l Login – Must be in Domain\User format

l Password

Doc_ID 371 189

l Agent Deploy Destination Options – Configure the following settings:

l Installation Location – Select the radio button to indicate the installation directory on the target domain controllers

l Default – Uses the default installation directory

l Textbox – Enter the desired installation location, e.g. d:\myagent

l Safe Mode – If selected, the SI Agent checks LSASS versions upon start up. Any changes in LSASS since the previous start prevents the monitoring modules from loading. See the SI Agent Safe Mode section for additional information.

l EM IP Address/Name – Ensure the Enterprise Manager is properly identified with the IP Address

l Port – Ensure the Enterprise Manager is properly identified with the port

Click Apply to enable the auto deploy feature. When domain controllers are discovered which do not already have an SI Agent installed, this feature automatically deploys SI Agents with all applicable modules (Windows AD Events module, Windows File System module, and/or Exchange Server Monitoring module) to the domain controllers.

Alerts Interface The Alerts interface allows SI users to quickly view in a centralized location recent SI Security events, SI Operations events, and SI Configuration events, all of which are known as alerts.

Doc_ID 371 190

The Alerts interface has the following options on the top toolbar:

l Recent [number] Alerts radio button – Populates the data grid with the most recent alerts. Use the textbox to change the default number of 1000.

l Alerts for Last [number] Hours radio button – Populates the data grid with hourly alert data. Use the textbox to change the default number of three hours.

l Refresh button – Repopulates the data grid with the current information for the selected radio button option

l Alerts Cleanup icon – Delete, save, and schedule cleanups for alert and analytics data

l Alerts Export Data icon – Export Alerts data from this grid to a local CSV file

Below is an example of how to use the Alerts for Last [number] Hours option:

The number of hours set is based on UTC and is adjusted for the time zones of the SI Admin Console server and the SI Agents monitoring events. For example, the SI Admin Console server is in New York, USA (UTC -5), the option is set to display Events for Last 4 Hours, and the SI Agent monitoring events is in London, UK (UTC +0).

Doc_ID 371 191

If the Refresh button is pressed at noon New York time, then the events displayed would have been monitored between 8 A.M. and 12 P.M. New York time, or between 1 P.M. and 5 P.M. London time.

On the header of this interface, there is the Clear and Export Data options on the right hand side.

The Export Data button provides options for exporting the alert data to a CSV file in the Alerts Export window. When selected, the Alerts Export window opens.

RECOMMENDED: Export alert data before using the Clear option.

Export options include:

l All – Exports all alert data

l Currently Displayed – Exports alert data according to the filters set in the data grid

l Data Range – Exports alert data within the specified From and To dates

Click OK and the Save As window opens. Specify the file name and location, then click Save.

Doc_ID 371 192

Next to the Export Data option is the Clear button. When selected, the Alerts Cleanup window opens with these options:

l Delete – Removes alert data from the database. Choose between deleting All alert data or only the alert data Older than a specific number of days.

l Log Level – Deletes Log Levels that are checked. The log levels are equivalent to the alert severity levels in the data grid.

l Save deleted to File – Save alert data to a CSV file before it is deleted from the database. The file is saved as “Alerts_Backup_[date]_[timestamp]” by default. When Start is selected, a Save As window displays. Specify the file name and location, then click Save.

l Start – Runs the Alerts Cleanup with the applied settings

l Analytics Alerts – Choose to display StealthINTERCEPT analytics alerts in the database and/or show them in the Alerts interface data grid

l Cleanup Scheduling – Deletes alerts after a specific number of days if the severity level is selected from the list. Set the start time for when the cleanup begins.

The database clears alert data according to these configurations. It generates a new alert. This new alert specifies that the alert data is cleared, identifies the SI user who cleared the alerts, a date time stamp, and what options were configured for the Clear operation.

The data grid for the Alerts interface includes the following information for each event:

l Time (UTC) – Timestamp for when the SI system event occurred, the specified time is UTC time. Hover over data in this column to view Local time (of the Enterprise Manager) and UTC time simultaneously.

Doc_ID 371 193

l Severity – Classification of the significance of the event:

l Critical – Might include data loss or other unexpected conditions events

l Warning – Indicates change events which affect the global operations of StealthINTERCEPT

l Info – Covers all other SI system events that have occurred

l Component – Indication of the type of SI system event

l SI Security events

l SI Operations events

l SI Configuration events

l Machine – Server where the event originated

l Alert – Event name

l User – Security principal that caused the event

l Message – Description and details about the event

All information for the selected event in the data grid is displayed at the bottom of the Alters interface.

In addition to the data grid information, there is also a list of Notifications which have been sent for the selected event.See the Navigation Pane Right-Click Commands section for additional features available within the grid view.

Below are some considerations:

See the LSASS Process Terminated section for additional information.

Doc_ID 371 194

See the How To Enable Agent Started in AD Monitor Pending Mode Email Alert and the SI Agent Safe Mode sections for additional information.

Policy Comparison Window When a Policy is edited by an SI User, the change creates an alert in the Alerts interface. This feature compares the new xml against the old xml for the selected event. The Policy Comparison feature requires a third party comparison tool provided by the user in order to function.

The Policy Comparison window is accessible through selecting on the Policy updated on server Changeset #[number] hyperlink in the Message column. The Policy Comparison window displays.

The Policy Comparison window has the following features:

Doc_ID 371 195

l Copy to Clipboard

l Save

l Run Difference Tool – Runs the compare using the third party comparison tool

l Configure (gear icon) – Opens the File Comparison Tool window where the path to the comparison tool is entered. By default, Fc.exe is used but its recommended to replace this with a path to a Windows based comparison tool such as Beyond Compare for best results.

Follow the steps to run a comparison:

Step 1 – Navigate to the StealthINTERCEPT Alerts Interface.

Step 2 – Find a Policy that has been updated and select the Policy updated on server. Changeset # hyperlink. The Policy Comparison window opens.

l In this interface, the old xml displays on the left and the modified xml on the right.

Step 3 – (Optional) Select Configure. The File Comparison Tool window displays. In the Specify Compare textbox, provide the path to the file comparison tool location in quotations. Next, add %1 %2 after the quoted location path. Select OK to close the window.

Step 4 – On the Policy Comparison page, select Run Difference Tool to run the specified compare command.

A window displays with the results of the Policy compare displays.

Analytics Interface The Analytics interface is comprised of a few levels. Select the Analytics node.

Doc_ID 371 196

At the top of the interface is a graphical display of incidents monitored by SI. The color key on the left side allows SI users to toggle off and on results for desired analytics. In the upper-right corner, set the number of days’ worth of incidents the graphs display. Use the Refresh button in the graphics area to repopulate the graphs.

There are two graphs:

l Pie graph – Graphical representation of the percentage of incidents are for which analytic type

l Line graph – Graphical representation of a timeline of incidents for each analytic

In the middle of the interface is a list of the analytic types, number of attacks identified in the last 24 hours per type, the ability to enable or disable monitoring, access to the analytic configuration, and a tool tip with a brief summary of the analytic.

RECOMMENDED: For most analytics, configure at least one filter before enabling an analytic type.

The Refresh button on the Analytics ribbon repopulates both the graphical display and the analytic list.

The Permissions section at the bottom of the interface allows SI users to protect Analytic policies at the Analytics node. Once an SI user is assigned permission, all analytic policies, configurations, and data are protected from any SI user not included in the Permissions list. See the Policies Interface section for instructions on how to protect analytic policies.

Doc_ID 371 197

Directly under the Analytics node are the individual analytics nodes for accessing information on the incidents that have been recently monitored and configuring the analytic type:

l Brute Force Attacks – Reports on failed attempts from a single host to access a given host. It can be triggered by different user accounts with bad passwords or invalid account names.

l User Account Hacking – Reports on multiple bad passwords provided for a given valid user account

l Horizontal Movement Attacks – Reports on security principals that are accessing more than the threshold of resources during the specified time interval. This may be indicative of a person trying to obtain information from as many servers as possible which they normally would not be accessing.

l Bad User ID (by user) – Reports on pre-authentication failures due to using account names that cannot be found within Active Directory. These incidents are grouped per account name.

l Bad User ID (by source host) – Reports on pre-authentication failures due to using account names that cannot be found within Active Directory. These incidents are grouped per source host.

l Breached Password – Reports on multiple failed authentications followed by a successful authentication in the specified time frame

l Concurrent Logins – Reports on logins from multiple locations within the specified time frame

l Impersonation Logins – Reports on multiple authenticated accounts from a single system within the specified time frame

l Golden Ticket – Reports on Kerberos tickets that exceed the specified maximum lifetimes for a user ticket or maximum lifetimes for a user ticket renewal

l File System Attacks (by user) – Reports on significant number of file changes made by an account in a short time period

l Kerberos Weak Encryption – Reports on Kerberos tickets with RC4_HMAC_MD5 encryption

l Forged PAC – Reports on Kerberos tickets with modified PAC

In addition to the Navigation Pane Right-Click Commands section features available within the grid views of the individual analytic policy, there is also a gear icon for opening the analytic configuration. See the StealthINTERCEPT Analytics Guide section for additional information.

Investigate Interface

Doc_ID 371 198

The Investigate interface allows SI users to quickly view recent events in a centralized location. SI users can investigate either Production events or Archive events. The data is limited by any protection applied at the Policy folder-level. See the Policies Interface section for additional information on the protection feature.

The top section of the Display area provides filtering options. The recent events are displayed in the bottom section. Next to the Investigate title, choose between LDAP Policies and All Other Policies to be shown in the data grid after it is refreshed. Deleted policies are shown when Show Deleted Policies is selected.

Doc_ID 371 199

There are six filter categories that can be applied to the recent events available in the data grid. By default, there are no filters placed on the data. All enabled unprotected policies and any protected policies the current SI user has rights to view are selected, and the other filter categories are blank. Filters can be applied through any combination of the filter categories. Use the Refresh button to repopulate the data grid with the current information for the selected filter (s).

Policy Filter Category

To filter by Policy, only have the desired policies checked. Protected policies the current SI user does not have rights to view are grayed-out.

l All policies – Toggles on or off all available policies

l Show Deleted Policies – Displays previously deleted policies in the Policy filter category. They are included in the filter. By default, event data from deleted policies are not included with the investigation results.

Who Filter Category

To filter by Who, check the Perpetrator box to filter for a particular security principal committing the change and/or check the Affected Object box to filter for a particular object being affected by a change.

For the Perpetrator option, select the radio button for either:

Doc_ID 371 200

l Name – Identify a Perpetrator by name

l SID – Identify a Perpetrator by the Security Identifier Then enter the who in the textbox or use the ellipsis (…) to open the Available Perpetrators window which displays perpetrators currently known within the database.

For the Affected Object option, select the radio button for either:

l DN / File Path – Identify an object by the distinguished name or file path

l Account – Identify an object by the SAM account name Then enter the who in the textbox. Filter criteria can be a partial match.

When Filter Category

Filtering by When encompasses several options, including the option between using Local Time or UTC time.

l To filter from a specified date and time to the present, check the Between box and set the start time

l To filter for everything from before a specified date time, check the And box and set the end time

l To filter for a specific time frame, check both boxes and set the start and end times

l To filter for Events for Last [number] Hours, check this box and set the number of hours to be used as the filter

Where Filter Category

To filter by Where, check the box(es) for the desired filter type(s):

l In this Domain – Enter the [domain name] in the textbox or use the ellipsis (…) to open the Available Domains window which displays domains currently known within the database.

l Detected on Server – Select the radio button for either Name or IP and then enter the server in the textbox. The ellipsis (…) can be used to open the Available Servers window which displays servers currently known within the database.

l From This Computer – Select the radio button for either Name or IP and then enter the computer in the textbox

l To This Computer – Select the radio button for either Name or IP and then enter the computer in the textbox Filter criteria can be a partial match

Doc_ID 371 201

What Filter Category

To filter by What, check the box(es) for the desired filter type(s):

l Event – Select the radio button for either Success or Fail

l Action Type – Select the radio button for either Blocked or Not Blocked

Other Filter Category

To filter by Other, check the box(es) for the desired filter type(s):

l Class

l Event Source

l Event Name

l Attribute Name

l Attribute Value – Select the radio button for either Old Value or New Value

Filter criteria can be a partial match.

CAUTION: The Full Text Search is not driven by indexes. Unless other indexed criteria are selected, the full text search could result in a scan of the entire SQL database which could be very slow for large databases.

l Full Text Search – Queries the entire SQL database for the entered attribute. If the attribute displays anywhere in the event, it displays in the data grid.

Each filter category section can be collapsed/expanded by clicking the arrow on the right side of the header ribbon. All filters can be cleared by clicking the Reset Filters button on the ribbon between the filter categories and the data grid. Filtered views can also be saved. See the Investigate Interface section for additional information.

Doc_ID 371 202

The grid view can be expanded by either collapsing the individual filter category sections or by using the arrow between the filter categories and the grid view to collapse the entire filter category section.

Choose between investigating events in the Production database or the Archive database by selecting the desired radio button. The archive database is an option of the Database Maintenance feature of SI. The archive database can only be queried from the SI Admin Console. See the Database Maintenance Window section for additional information.

Set how many events can be displayed by changing the Get Top [number] Events value. If checked, the For Each Policy checkbox applies the specified number of events displayed on a per policy basis. If unchecked, the specified number of events displayed are solely based on the time the event was logged. Use the Refresh button to repopulate the data grid with the current information for the selected option. The Show All Columns link automatically adds any columns to the data grid that are currently hidden from view. When column placement or visibility is changed, the settings are saved.

The data grid columns for the Investigate interface each have a prefix identifying the type of information displayed. Double-click a populated grid column to access the Recent Events Tab with more detailed information on the event. The columns display the following information for each event:

Doc_ID 371 203

l Event: Policy – Policy which monitored or blocked the event

l Event: Time Logged – Timestamp for when the event was monitored/blocked by the SI Agent, the specified time is the local time for the server where the SI Agent is deployed. Hover over data in this column to view Agent time, Local time (of the Enterprise Manager), and UTC time simultaneously.

l Event: UTC Time Logged – UTC Timestamp for when the event was monitored/blocked by the SI Agent. Hover over data in this column to view Agent time, Local time (of the Enterprise Manager), and UTC time simultaneously.

l Event: Type – Identifies the type of monitoring/blocking, e.g. Active Directory, File System, Exchange

l Event: Name – Type of event monitored/blocked

l Event: Count – Number of identical events which occurred within one minute

l Event: Success – Indicates the event completed successfully

l Event: Blocked – Indicates SI blocked the event from occurring

l Event: Message – Result of the attempted operation

l Event: Raw Name – Short description of the monitored operation

l Agent: Domain – Domain where the SI Agent which monitored/blocked the event is deployed

l Agent: Computer – Server where the event was recorded (where the SI Agent is deployed)

l Agent: IP Address – IP Address of the server where the event was recorded (where the SI Agent is deployed)

l Affected Object: Path – Name of the object according to the type of monitoring/blocking

l Active Directory monitoring/blocking – Active Directory distinguished name for the affected object

l Effective Group Membership monitoring – Active Directory distinguished name for the affected group. A double asterisk (**) at the beginning indicates that the path is to the nested group where the actual membership change occurred.

l File System monitoring/blocking – Path of the affected file or folder

l Exchange monitoring/blocking – Name of the affected Exchange Mailbox

l Affected Object: Account Name – Domain\user name of the affected account

Doc_ID 371 204

l Affected Object: Class – Active Directory class (only applies to Active Directory monitoring/blocking, it is blank for other types)

l Affected Object: IP Address – IP Address of the host the security principal is trying to access

l Affected Object: Host – Name of the host the security principal is trying to access

l Perpetrator: Name – Name associated with the SID for the security principal who attempted the monitored operation

l Perpetrator: Host – Originating host name for the monitored operation

l Perpetrator: Protocol – Protocol used for the monitored operation

l File System monitoring/blocking – Name of the share used where the operation was monitored/blocked (is blank if affected host has an operating system older than Windows 2008 R2)

l Perpetrator: IP Address – Originating host IP Address for the monitored operation

l File System monitoring/blocking – This field is blank if affected host has an operating system older than Windows 2008 R2

l Perpetrator: Access URL – Raw data, the combination of the protocol, IP Address, and the Port used as part of the event

l LSASS Guardian monitoring/blocking – Process name which is modifying or attempting to modify LSASS

l Perpetrator: DN – Identification of the perpetrator according to the type of event

l Active Directory monitoring/blocking – Active Directory distinguished name for the perpetrator

l File System monitoring/blocking – Domain\user name for the perpetrator

l Exchange monitoring/blocking – Domain\user name for the perpetrator

l Perpetrator: MAC Address – Network adapter identifier

l Perpetrator: SID – Security Identifier of the security principal which attempted the monitored operation

At the bottom of the Investigate interface, additional information is displayed for selected events in the data grid.

Doc_ID 371 205

The Attribute Name, Operation, Old Value, and New Value for the logged event (as applicable to the event) are displayed.

See the Data Grid Functionality section for additional features available within the grid view.

Filtered Investigate Views Filters settings can be saved. Follow the steps to save a filtered view.

Step 1 – Set the filter [1] as desired, Refresh the data grid [2], and click Save View [3]. The Filter Set Name window opens.

Doc_ID 371 206

Step 2 – Type a name for this filtered view and click OK.

The saved filtered view becomes a node in the Navigation pane under the Investigate node. Select the node to return to the saved filtered Investigate view.

EPE & LDAP Summary Folders The EPE and LDAP Summary folders are pre-defined reports that allow SI users to view consolidated recent event activity for EPE or LDAP which spans all EPE or LDAP policies. The reports include default grouping(s) that best show the consolidated data.

Doc_ID 371 207

The investigate summary folders filters include:

l EPE Summary

l Last 10,000 Failed passwords by Policy and Rule

l Number of Failed passwords by Policy Name

l Number of Failed passwords by Rule Name

l Number of Failed passwords by Policy and Rule

l LDAP Summary

l Top 10,000 Most frequently run queries by User Accounts

l Top 10,000 Most frequently run queries by Computer Accounts

l Top 10,000 Most frequently run queries by IP

l Most frequently run queries by Account for TOP 5 User Accounts

l Most frequently run queries by Account for TOP 5 Computer Accounts

l Most frequently run queries by IP for TOP 5 IPs

l Run Time by Account

l Run Time by IP

Doc_ID 371 208

l Run Time by Domain Controller

l Number of Searches by Domain Controller

The grid view displays columns associated with the scope of the report. By default, the data grid is blank. Select Refresh to display results on the data grid. If there is no data available, the grid does not populate but the columns display on the grid. Below the report name are the Refresh, Configure, and Export buttons.

The buttons have these functions:

l Refresh – Repopulates the data grid with the current information for the selected report

l Configure – Opens the Parameters window. Set the optional time range as well as the type of policies.

l Export – Export the selected report into an Excel, PDF, HTML, RTF, or CSV output. The Save As window displays when an export option is selected. Provide a unique name for the report and save to a specified location.

The Parameters window displays the following information:

l Range From/To –If left unchecked, the report displays all policy data. When enabled, set a data range for the grid using the To and From dropdown calendars. By default, the calendar displays todays date. Click OK to set the date and time.

For faster navigation on the calendar, select the month (i.e. October 2019) to display all twelve months to choose from. Once showing the months, select the year (i.e. 2019) to display a range of years to choose from.

Doc_ID 371 209

l Policies – Choose between All Policies or Enabled Only policies to display on the data grid

l Events – Select Blocking and/or Monitoring event(s) to display in the data grid

Policies Interface The Policies interface is comprised of several levels.

The list of policies can be sorted alphanumerically ascending or descending by clicking on a column header. An arrow appears in the right corner of the column header indicating the type of sorting. There is also a right-click menu within the Display area.

Selecting the Policies node provides a list of all policies in the Display area. The columns are (left to right):

l Policy State – Indicates whether or not the policy is enabled (green) or disabled (gray) NOTE: This only displays the state of the policy. It does not change its state.

l Customized Schedule Icon – A clock symbol displays when the policy has been customized

l Name – Name of the policy

l Path – Folder and sub-folder structure location of the policy within the Navigation pane

l Description – Matches the description used on the General tab of the policy

Directly under the Policies node are the folders used to organize the policies. Folders can be created at the top level or as sub-folders. SI supports unlimited levels for organizing policies. It is through a folder node that protection can be applied by an SI user with Administrator rights. Select a folder in the Policies node list to view the two types of protection available for that folder. The protection types are:

Doc_ID 371 210

l Permissions – Control the ability of SI users to View Data or Manage Policies within the selected folder. Set the SI User to one or both settings:

l View Data Permission checkbox – Affects the ability to see events data for these policies in the policy’s Recent Events Tab, the Investigate Interface, or the SI Reporting Console. Only SI users granted the View Data Permission on the folder where the object has been identified for protection are able to view any results of events that include the object. See the Policies Interface section for instructions on protecting policies or objects.

l Manage Policies Permission checkbox – Affects the ability to change policy configuration settings. See the Policies Interface section for instructions on protecting policies or objects.

l Protected Objects – Monitors the selected Select Active Directory Context Window within the policy folder

l Protected objects are hidden from the following types of data no matter what policy monitored/blocked it:

l Recent Events Tab data

l Investigate Interface data

l StealthINTERCEPT Reporting Console data

Within the folders, the individual policy nodes provide access to policy configuration and recent event data in the Display area. Policies can be moved from one folder to another by dragging- and-dropping, unless restricted by policy protections. Templates can also be dragged from a template folder and dropped into a policy folder, which copies the template into a policy. See the Templates Interface section for additional information.

An enabled policy is quickly identifiable within the Navigation pane by the green dot over the policy icon.

See the Policy & Template Configuration section for additional information on creating policies.

Doc_ID 371 211

Policies Node Right-Click Menu The list of all policies in the Display area of the Policies node also has a right-click menu. Select a policy and right-click to open this menu.

It contains the following selections:

Right-Click Command Description

Enable Enables disabled policies. No action is taken if selected for a policy already enabled.

Disable Disables enabled policies. No action is taken if selected for a policy already disabled.

Export Export the selected policy’s configuration to an XML file through the Export Policies and Templates window (unique to the Policies and Templates interfaces, see explanation of window below)

Remove Deletes the selected policy

NOTE: If the selected policy is protected and the current SI user does not have Manage Policies permissions for it, these options are be grayed-out. See the Policies Node Right-Click Menu section for additional information on protection.

The Export Policies and Templates window, opened from the Policies and Templates interfaces, is for exporting selected policies’ configuration from the list on the Policies node or selected

Doc_ID 371 212

templates’ configuration from the list on the Templates Interface node. The export generates an XML file. This window is opened through the Policies Node Right-Click Menu or the Template Node Right-Click Menu Export option.

In the Notes textbox:

l Enter any information to be saved with the XML file

The Encrypt Sensitive Fields can be toggled on or off.

l If on, provide a Password and Verify Password to be used as the encryption key

When the export is configured as desired, click Export.

Protect Policies Policies can be protected at the folder node of the Policies interface. Once an SI user is assigned permission on a folder, all policies and subfolders within that folder are protected from any SI user not included in the Permissions list.

Follow the steps to protect policies.

Doc_ID 371 213

Step 1 – Select a folder under the Policies node in the Navigation pane. On the right displays the Policies interface for folders.

Step 2 – In the Permissions ribbon, click the Add (+) icon.

The Remove (x) button deletes the selected SI user from the Permissions list.

Doc_ID 371 214

Step 3 – A window opens with a list of SI users. Select the SI user to be granted permission on this folder and the policies within it.

Only SI user with rights as assigned in the Users and Roles Window are available in the list.

Step 4 – The window closes and the user is now in the Permissions list with the default of View Data permission. To add the Manage Policies permission, check the box for that user.

Only those SI users specifically granted permission to this folder can view event data or configure the policies within this folder or its subfolders once permissions have been assigned.

Step 5 – Click Save when the permissions are set as desired.

Protect Objects In addition to protecting policies, objects being monitored or blocked can also be protected. This feature ensures regulatory compliance. Any object granted protection is protected across all policies and reports, including its child objects. That means if a policy from another folder monitors or blocks a change affecting the protected object, the resulting event is not included in

Doc_ID 371 215

any result data. Only SI users granted permissions on the folder where the object is protected are able to view event data for that object. This protection applies to a policy’s Recent Events tab, the Investigate interface, and the SI Reporting Console.

Follow the steps to protect objects.

Step 1 – Select a folder under the Policies node in the Navigation pane.

Step 2 – In the Protected Objects ribbon, click the Add (+) icon.

The Remove (x) button deletes the selected object from the Protected Objects list.

Doc_ID 371 216

Step 3 – The Select Active Directory Contexts window opens. Select the desired Agent from the drop-down menu and click Connect. Expand the domain tree in the Navigation pane. Select an item in the Results pane on the right and click OK. See the Select Active Directory Context Window section for additional information.

Doc_ID 371 217

The window closes and the object is now in the Protected Objects list. Only those SI users specifically granted permission to this folder can view event data for the protected object or its children.

Step 4 – Click Save when the permissions are set as desired.

Protected objects have now been added to the Policies Interface.

Templates Interface The Templates interface is comprised of several levels.

Doc_ID 371 218

Selecting the Templates node provides a list of all policy templates in the Display area. The list includes:

l Name

l Path – Location within the Navigation pane

l Description

The list of templates can be sorted alphanumerically ascending or descending by clicking on a column header. An arrow appears in the right corner of the column header indicating the type of sorting. There is also a right-click menu within the Display area.

Directly under the Templates node are the folders used to organize the policy templates. Folders can be created at the top level or as sub-folders since SI supports unlimited levels for organizing templates. The SI pre-created policy templates are organized into the following top-level folders: Best Practices, HIPAA, Microsoft, and SIEM. See the Policy Templates section for additional information on these pre-created templates.

Within the folders, the individual template nodes provide access to policy template configuration in the Display area. Templates can be moved from one folder to another by dragging-and- dropping. The drag-and-drop feature from one template folder to another is a Move action. However, templates can also be dragged into a Policy folder. This would be a Copy action, and converts the template into a policy.

Doc_ID 371 219

See the Policy & Template Configuration section for additional information on creating policy templates.

Template Node Right-Click Menu The list of all templates in the Display area of the Templates node also has a right-click menu. Select a template and right-click to open this menu.

It contains the following selections:

Right-Click Command Description

Enable (grayed-out) [Does not apply to templates]

Disable (grayed-out) [Does not apply to templates]

Export Export the selected template’s configuration to an XML file through the Policy & Template Configuration (unique to the Policies and Templates interfaces, see explanation of window below)

Remove Deletes the selected template

TAGS Node

Doc_ID 371 220

Tags can be added to policy templates as an organizational tool. Tags display as folders under the TAGS node. Several preconfigured templates include tags, which display after those templates have been imported into the console. A template can have multiple tags added, and the template displays in the folder for each tag. If a new tag is added, Refresh the TAGS node to view the associated folder.

Adding tags to a template does not create a duplicate template, but rather multiple places from which to access the template. A modification made to a template within a folder under the TAGS node is a modification to that template no matter where it is accessed after that, i.e. from under the Templates node or from another folder under the TAGS node.

Doc_ID 371 221

Copyright 2021 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED StealthINTERCEPT® Policy & Template Configuration A StealthINTERCEPT (SI) policy or policy template has many elements that define the objects and events it monitors or blocks, where in networks it looks, and when it is active. These policy attributes are organized into the following major components:

l General Tab

l Event Type Tab

l Actions Tab (Event Consumers)

Each major component has its own tabbed view within the policy/template configuration. A policy requires at least the General tab and Event Type tab to be configured before it properly functions. The Actions tab is optional.

The Reports Tab is where reports are linked to the selected policy/template from within the SI Admin Console. The Recent Events Tab provides information on the events that have been recently monitored or blocked by the selected policy. These events are also available through the Investigate Interface and the SI Reporting Console. See the Investigations Tab section of the StealthINTERCEPT Reporting Console User Guide for additional information.

This chapter provides the necessary information and available options for configuring a policy or a policy template. The following sections provide an in-depth look at each configuration tab. When the policy/template configuration is set as desired, click Save to complete the process.

Through a PowerShell API integration, it is possible to create, edit, delete, and enable SI Policies without opening the SI Admin Console. See the Appendix: PowerShell API Integration for additional information.

Policy & Template Configuration A StealthINTERCEPT (SI) policy or policy template has many elements that define the objects and events it monitors or blocks, where in networks it looks, and when it is active. These policy attributes are organized into the following major components:

l General Tab

l Event Type Tab

l Actions Tab (Event Consumers)

Doc_ID 371 222

Actions Tab The Actions tab is for configuring various responses, or event consumers, to the event data a policy captures. The following types of actions are available:

l Send to Events DB – Logs events to the event database for use by StealthINTERCEPT Reporting using the built-in database event consumer. This is the primary action and is enabled by default in new policies.

l Send to SIEM – Sends formatted messages to a SIEM server as configured in a profile. To enable this feature the server must first be configured by an SI Administrator, which is done through the SI System Alerting Window.

l Send to StealthDEFEND – Sends data for this policy to StealthDEFEND. To enable this feature, the Web Request Action Module (StealthDEFEND URI) must be created and configured by an SI Administrator. This is configured through the Event Sink Tab on the StealthDEFEND Configuration window.

l Email Notifications – Sends formatted email notifications to the selected Message Profile. To enable this feature the SMTP Gateway must first be configured and Message Profiles created by an SI Administrator, which is done through the SI System Alerting Window.

l File Actions – Records the events to a log (text) file in XML or Comma Delimited (CSV) format. This is configured through the File Actions.

l .NET Script Actions – Runs a user-supplied script which implements an automated action in response to the event. Scripts can be written in Visual Basic or C#. This is configured through the .NET Script Actions. Optionally, custom scripts can be provided through a Stealthbits Statement of Work.

Doc_ID 371 223

l PowerShell 4.0 Actions – Runs a user-supplied PowerShell script which implements an automated action in response to the event. This is configured through the PowerShell 4.0 Actions. Optionally, custom scripts can be provided through a Stealthbits Statement of Work.

Multiple event consumers can be configured for a single policy, even multiple event consumers of the same type. However, only one database event consumer can be added per policy.

Actions are configured to run on a separate thread from the policy’s event processing thread. Incoming events have a dedicated thread/queue for processing. Email notification has a dedicated thread/queue for processing. Custom Script actions has a dedicated thread/queue for processing. This allows the action to process without blocking new events from going into the database while the action completes.

At the top of the tab, assigned actions are listed. The list includes:

l Enabled, Type, Name, and Description for all assigned File, .NET Script, or PowerShell 4.0 actions. See the File Actions, .NET Script Actions, and PowerShell 4.0 Actions sections for steps on adding actions to a policy.

Actions can be enabled or disabled on the Actions tab of the policy/template configuration by checking or unchecking the Enabled checkbox in the Action Configurations list. This can also be done through the Add Action window.

Doc_ID 371 224

Send to Events DB

This action is checked by default and saves the event data a policy monitors and captures to the NVMonitorData database. Typically this option is only unchecked by Stealthbits Support during a troubleshooting session or when the only desired output is a file for an alert. SI Reporting uses the events database to access and create reports.

Send to SIEM

This action is added by selecting the desired SIEM Profile to be the recipient of the SIEM notifications from the drop-down menu. Prior to activating this option, it is necessary to establish a connection with the SIEM server and configure the mapping file. All SIEM Profiles created are available to be selected. Configuration is done by an SI Administrator through the SI System Alerting Window, and this action can also be assigned within that window.

Send to StealthDEFEND

This action can be checked to send event data for the policy to StealthDEFEND. Prior to activating this option, it is necessary to configure the connection with StealthDEFEND. This is done by an SI Administrator through the StealthDEFEND Configuration Windows window.

Email Notifications

Doc_ID 371 225

This action is added by selecting the desired Message Profile to be recipient of the email notifications from the drop-down menu. Prior to activating this option, it is necessary to configure the SMTP Gateway and create Message Profiles. All Message Profiles created are available to be selected. Setup is done by an SI Administrator through the SI System Alerting Window, and this action can also be assigned within that window.

Once Email Notifications are enabled, select a Message Profile and then choose to enable the Prevent Repeat Emails by option. If enabled:

l Select the radio button for either:

l Policy – Prevents email notifications for the same policy

l Subject – Prevents email notifications with the same Subject line, as configured within the Message Profile

l Set the duration (in minutes or hours) that repeat emails are prevented

Select Add (+) to open the Add Action window. Choose to add a File Actions, .NET Script Actions, and PowerShell 4.0 Actions action sections. Use the Remove (x) button to delete file or script actions from a policy.

All changes made to a policy or a template must be saved before leaving the configuration interface.

File Actions

Doc_ID 371 226

A File action can output the event data collected by a policy to a log file. This action is assigned to a policy through the Add Action window. Follow the steps to add a File action to a policy/template.

Step 1 – On a policy or template Actions tab, click Add (+) to open the Add Action window.

Step 2 – In the left pane, select the radio button for File.

Step 3 – Configure the File action:

Doc_ID 371 227

l Name – Provide a unique, descriptive name for this File action

l Check the box for Enabled to allow the policy to send the event data to the file

l Description – Provide a clear and detailed description for this File action. This is optional but recommended.

l File Name – Provide a name for the file. The file extension is added automatically

l The default location is: …\Stealthbits\StealthINTERCEPT\SIEnterpriseManager\output\file

l The name can include a full UNC path to place the file at a desired location.

l Select the radio button for the desired File Output Format:

l XML

l Comma Delimited (CSV)

l Adjust the File Size Limit and Minimum disk space required for reporting values as desired NOTE: Set thresholds for file event consumers to maximize performance and minimize individual file sizes. When a file reaches its maximum size, it continues to record data but the oldest data in the file is deleted to make room for the newest. The default file size settings are the following:

l File Size Limit: 5 MB

l Minimum disk space required for reporting: 1 MB

Step 4 – Click Save to apply changes and close the Add Action window.

Doc_ID 371 228

The Action tab now displays the configuration settings for the specified File action. The action configuration can be directly edited through this display as well.

.NET Script Actions A Visual Basic or C# script can be written and assigned to a policy by SI users or a Stealthbits Engineer via engaging Stealthbits Professional Services. The script will be invoked by the Enterprise Manager for an enabled policy. The .NET Script action is assigned to a policy through the Add Action window.

Follow the steps to add a .NET Script action to a policy/template.

Step 1 – On a policy or template Actions tab, click Add (+) to open the Add Action window.

Doc_ID 371 229

Step 2 – In the left pane, select the radio button for .NET Script.

Step 3 – Configure the .NET Script action:

l Name – Provide a unique, descriptive name for this .NET Script action

l Check the box for Enabled to allow the policy to launch the script

l Description – Provide a clear and detailed description for this .NET Script action. This is optional but recommended.

l Select the radio button for the script language being used:

l Visual Basic

l C#

l Click Edit… to open the StealthINTERCEPT Script Editor window and provide the script

Doc_ID 371 230

Step 4 – Create or copy and paste the custom script in the StealthINTERCEPT Script Editor. See the StealthINTERCEPT Script Editor Tools section for additional information, i.e. Run for testing and Encrypt functionality. See Appendix: Default Custom Scripts for default custom scripts. Save and close.

Doc_ID 371 231

Step 5 – At the bottom of the Add Action window, the new script is visible in the Script Preview section. Choose whether or not to Enable compiler error logging; if enabled, SI logs information about the compiling of scripts.

Step 6 – Click Save to close the Add Action window and apply changes.

The Action tab now displays the configuration settings for the specified .NET Script action. The action configuration can be directly edited through this display as well.

StealthINTERCEPT Script Editor Tools On the Add Action window, the Edit... button opens the StealthINTERCEPT Script Editor. The top bar includes the Tools dropdown menu which provides several Tools to aid the SI user.

Doc_ID 371 232

The Tools item in the menu contains the following options:

l Assembly Manager – Applies to Visual Basic and C# scripts only, list of assemblies that support exposing SI data in the VB or C# runtime environments

l Compile (Ctrl+F6) – Applies to Visual Basic and C# scripts only, compiles the script to find and fix syntax errors

l Run (F5) – Executes the script on the machine where the SI Admin Console is installed

l Reset to Default Script – Replaces the existing script with the default script which is shipped with StealthINTERCEPT

l Encrypt – Encrypts selected portions of the script to an encrypted string with a decrypt command for run time. See note below explaining why only a plain text string, information in the script between quote marks (“), should be encrypted.

The Tools > Run option is used to launch the script from the SI Admin Console, allowing the SI user to test the script. If running a .NET Script Action, there are no prerequisites.

Remember, if the SI Admin Console server meets this requirement but the Enterprise Manager server does not, the script does not work in an enabled policy.

CAUTION: The Tools > Encrypt option is used to obfuscate plain text strings, e.g. credentials, within the script. Encrypting functions or other commands result in the script not working. Only a literal string should be encrypted, between the quote marks (“). The quote marks themselves should not be included in the encryption.

PowerShell 4.0 Actions A PowerShell 4.0 script can be written and assigned to a policy by SI users or a Stealthbits Engineer via engaging Stealthbits Professional Services. The script will be invoked by the Enterprise Manager for an enabled policy.

The PowerShell 4.0 action is assigned to a policy through the Add Action window. Follow the steps to add a PowerShell 4.0 action to a policy/template.

Doc_ID 371 233

Step 1 – On a policy or template Actions tab, click Add (+) to open the Add Action window.

Step 2 – Configure the PowerShell 4.0 Script action:

l Name – Provide a unique, descriptive name for this PowerShell 4.0 action

l Check the box for Enabled to allow the policy to launch the script

l Description – Provide a clear and detailed description for this PowerShell 4.0 action. This is optional but recommended.

l Click Edit… to view the sample script. The StealthINTERCEPT Script Editor opens

Doc_ID 371 234

Step 3 – Create or copy and paste the custom script in the StealthINTERCEPT Script Editor. See the StealthINTERCEPT Script Editor Tools section for additional information, i.e. Run for testing and Encrypt functionality. See Appendix: Default Custom Scripts for default custom scripts.

Step 4 – Save and close.

Doc_ID 371 235

Step 6 – Click Save to close the Add Action window and apply changes.

The Action tab now displays the configuration settings for the specified PowerShell 4.0 action. The action configuration can be directly edited through this display as well.

Event Type Tab The Event Type tab view is where the objects and events SI monitors/blocks are defined.

Doc_ID 371 236

Each Event Type represents what is monitored or blocked. Event filters are used to either narrow or broaden the scope of the monitoring/blocking as desired. Click Add (+) to open the Event Selection window. The Solution Overview and modules licensed by the organization determine what Event Types are available. Event Types which are not available or not licensed are grayed- out but visible in the Event Selection window.

Doc_ID 371 237

Doc_ID 371 238

Check the box for the desired Event Type and click OK. The corresponding Event Filters show at the bottom of the Event Type tab. Multiple Event Types can be assigned to a single policy.

RECOMMENDED: Create different policies for different event types for reporting purposes. Otherwise, one report will have a mix of different types of data. There are a few exceptions to this feature.

Once the Event Type to be monitored by the policy is selected, the filters scope the policy.

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

The following sections highlight the Event Filters associated with each Event Type. See the Event Filters Overview section for in-depth information on each filter tab.

All changes made to a policy or a template must be saved before leaving the configuration interface.

StealthINTERCEPT for Active Directory Solution Event Types The following Event Types are available for the Solution Overview:

l Active Directory Changes Event Type

l Active Directory Lockdown Event Type

l Active Directory Read Monitoring Event Type

l AD Replication Monitoring Event Type

l AD Replication Lockdown Event Type

l Authentication Event Type

l Authentication Lockdown Event Type

l Effective Group Membership Event Type

l GPO Setting Changes Event Type

l GPO Setting Lockdown Event Type

l LSASS Guardian – Monitor Event Type

l LSASS Guardian – Protect Event Type

These event types are available through the following Licensed Modules:

Doc_ID 371 239

Licensed Module Available Event Type

Active Directory Changes Module Active Directory Changes Event Type

Active Directory Read Monitoring

AD Replication Monitoring

Authentication Event Type

Effective Group Membership Event Type

LSASS Guardian – Monitor

Active Directory Lockdown Module Active Directory Lockdown Event Type

*Requires Active Directory Changes Module AD Replication Lockdown

Authentication Lockdown Event Type

LSASS Guardian – Protect

GPO Lockdown Module GPO Setting Lockdown Event Type

*Requires Active Directory Changes Module

**Requires File System Module

GPO Setting Changes Module GPO Setting Changes Event Type

*Requires Active Directory Changes Module

**Requires File System Module

Active Directory Changes Event Type The Event Filters for the Active Directory Changes Event Type are:

l AD Event Filter

l Domains/Servers Filter

l AD Context Filter

l AD Classes Filter

l AD Attributes Filter

l AD Objects Filter

Doc_ID 371 240

l AD Perpetrator Filter for Monitoring)

l IP Addresses (from) Filter

l Hosts (from) Filter for Monitoring

l Success Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

Active Directory Lockdown Event Type The Event Filters for the Active Directory Lockdown Event Type are:

l AD Event Filter

l AD Objects and Containers Filter

l Domains/Servers – Not supported for this lockdown event type

l AD Event Filter

l AD Perpetrator Filter for Lockdown

l Hosts (from) Filter for Lockdown

l User Account Control Filter

l Rule Preview Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

Active Directory Read Monitoring Event Type The Event Filters for the Active Directory Read Monitoring Event Type are:

l Domains/Servers Filter

l AD Classes Filter

l AD Objects Filter

l AD Context Filter

l AD Perpetrator Filter for Monitoring

l AD Attributes Filter

Doc_ID 371 241

l Hosts (from) Filter for Monitoring

l Rule Preview Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

CAUTION: This event type monitors all specified domain controller Read events. Use this event type with significant filters or else it can adversely impact overall system performance and significantly increase the size of the SI Event Database. Limit the policy to specific attributes in order to avoid overwhelming the database with a high volume of unnecessary events.

This Event Type reports on user's accessing or reading specific security related AD Attributes. Active Directory processes a high volume of Read requests. It is not recommended or designed to capture all or the majority of Read activity.

AD Replication Lockdown Event Type The Event Filters for the AD Replication Lockdown Event Type are:

l AD Perpetrator Filter for Lockdown

l Permissions Filter

l Domains/Servers Filter

l Hosts (from) Filter for Lockdown

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

This event type locks down domain controller syncing/replication. Since Windows cannot detect if a sync request is coming from a legitimate domain controller, this event type is designed to block requests from computers which are not ‘allowed’ by the policy.

Legitimate domain controllers must be identified in the event filters. This can be done through one of the following methods:

l AD Perpetrator filter

l Use this filter for a dynamic list of domain controllers

l Set filter to "Allow"

l Add the Users OU > Domain Controllers group

Doc_ID 371 242

l Add any other groups containing domain controllers. This triggers an error message reminding the user that only domain controllers should be allowed.

l Any domain controller not included in these groups are blocked from syncing /replication

l Domains/Servers filter

l Use this filter for a static list of domain controllers

l Add domain controllers to the Exclude list

l Any domain controller not excluded is blocked from syncing /replication

CAUTION: Not allowing ALL domain controllers to sync has negative impacts on Active Directory.

If no filters are applied, saving the policy configuration displays a warning message.

NOTE: AD Replication Lockdown Event Type internally looks for use of the GetNCChanges() API and blocks the API call when it is invoked by a machine outside the scope of the policy filters.

AD Replication Monitoring Event Type The Event Filters for the AD Replication Monitoring Event Type are:

l AD Perpetrator Filter for Monitoring

l Permissions Filter

l Domains/Servers Filter

l Hosts (from) Filter for Monitoring

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

This event type monitors domain controller syncing/replication. Since Windows cannot detect if a sync request is coming from a legitimate domain controller, this event type is designed to monitor requests from computers which are not ‘excluded’ by the policy. Therefore, legitimate domain controllers should be identified in the event filters. This can be done through one of the following methods:

l AD Perpetrator filter

l Use this filter for a dynamic list of domain controllers

l Add domain controllers to the Exclude list(s)

l Add the Users OU > Domain Controllers group

Doc_ID 371 243

l Add any other groups containing domain controllers. It triggers an error message reminding the user that only domain controllers should be excluded

l Any domain controller not included in the groups are monitored for syncing/replication requests

l Domains/Servers filter

l Use this filter for a static list of domain controllers

l Add domain controllers to the Exclude list

l Any domain controller not excluded are monitored for syncing/replication requests

The StealthDEFEND DC Sync threat is sourced by a StealthINTERCEPT AD Replication Monitoring policy. It is necessary for the policy to be configured to exclude domain controllers on the Host (From) filter.

If no filters are applied, saving the policy configuration displays a warning message.

NOTE: AD Replication Monitoring Event Type internally looks for use of the GetNCChanges() API and reports an event when this API is invoked by a machine outside the scope of the policy filters.

Authentication Event Type The Event Filters for the Authentication Event Type are:

l Authentication Protocol Filter

l Domains/Servers Filter

l Success Filter

l AD Perpetrator Filter for Monitoring

l IP Addresses (from) Filter

l IP Addresses (to) Filter

l Hosts (from) Filter for Monitoring

l Hosts (to) Filter for Monitoring

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

NOTE: When the Authentication Event Type is assigned to a policy outside of the Analytic policies, then all collected authentication event data is stored in the database, not in memory as it is for the Analytic policies. However, it does consolidate the authentication events which occur every minute, resulting in up to a one minute delay between the event and the reporting of the event.

Doc_ID 371 244

Authentication Lockdown Event Type The Event Filters for the Authentication Lockdown Event Type are:

l AD Perpetrator Filter for Lockdown

l Hosts (from) Filter for Lockdown

l Hosts (to) Filter for Lockdown

l Rule Preview Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

This event type blocks authentication requests made through Kerberos and NTLM. These requests are used to access resources such as remote shares, establish RDP sessions, interactive logons, etc.

Due to the method used by Windows to establish an RDP session to a computer with the less secure mode, “Allow connections from computers running any version of Remote Desktop (less secure)” option in the System Properties of the target host, StealthINTERCEPT cannot see the ‘from host’ information to block. Therefore, if the target host is configured with the less secure mode, the Hosts (from) filter does not block authentications for these RDP sessions. Since the perpetrator and host to information is available to StealthINTERCEPT with this mode of RDP session, the AD Perpetrator for lockdown filter and Hosts (to) filter will block authentications.

NOTE: When the Authentication Lockdown Event Type is assigned to a policy outside of the Analytic policies, then all collected authentication event data is stored in the database, not in memory as it is for the Analytic policies. However, it does consolidate the authentication events which occur every minute, resulting in up to a one minute delay between the event and the reporting of the event.

Effective Group Membership Event Type The Event Filters for the Effective Group Membership Event Type are:

l AD Groups Filter

l AD Perpetrator Filter for Monitoring

l Success Filter

Doc_ID 371 245

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

GPO Setting Changes Event Type The Event Filters for the GPO Setting Changes Event Type are:

l AD Group Policy Object Changes Filter

l AD Perpetrator Filter for Monitoring

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

GPO Setting Lockdown Event Type The Event Filters for the GPO Setting Lockdown Event Type are:

l AD Group Policy Object Filter

l Domains/Servers Filter

l AD Perpetrator Filter for Lockdown

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

If setting a filter to ‘“EXCLUDE” a domain from this blocking policy, this setting overrides any ”BLOCK” user filters. That means in order to block a user, it is necessary to not “EXCLUDE” the domain from which that user is a member.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

LSASS Guardian – Monitor Event Type The Event Filters for the LSASS Guardian – Monitor Event Type are:

l AD Perpetrator Filter for Monitoring

l Domains/Servers Filter

l Processes Filter for Monitoring

l Open Process Flags Filter

Doc_ID 371 246

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

RECOMMENDED: Add exclusion process filters for legitimate processes which make changes to LSASS, e.g. third-party malware applications.

LSASS Guardian – Protect Event Type The Event Filters for the LSASS Guardian – Protect Event Type are:

l AD Perpetrator Filter for Lockdown

l Domains/Servers Filter

l Processes Filter for Lockdown

l Open Process Flags Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

RECOMMENDED: Add exclusion process filters for legitimate processes which make changes to LSASS, e.g. third-party malware applications.

StealthINTERCEPT for Enterprise Password Enforcement Solution Event Type The following Event Type is available for the Solution Overview Solution:

l Password Enforcement Event Type

This event type is available through the following Licensed Module:

Licensed Module Available Event Type

Password Enforcement Module Password Enforcement Event Type

Password Enforcement Event Type The Event Filters for the Password Enforcement Event Type are:

Doc_ID 371 247

l Domains/Servers Filter

l AD Account Filter

l AD Perpetrator Filter for Lockdown

l Hosts (from) Filter for Lockdown

l Password Rules Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

This Event Type locks down or monitors password creation/modification so that known, compromised passwords are not accepted. First Windows checks against an organization’s password policies. Passwords which pass the Windows check are then further validated by this SI policy. SI contains a dictionary of known compromised passwords and the ability to define additional rules for the content of the password. If the password matches any in the dictionary or matches a configured rule, the user is given the same Windows error message they would have received if the password had not been approved by the Windows check.

There is an option to capture the value of a password rejected by SI within the event data on the Password Rules filter. If rejected password values are captured, then the values appear in the Attributes field of the data grid.

There are always two accounts associated with this type of event:

l AD Account – Security principal for which the password is being changed

l Perpetrator – Security principal making the password change on the AD account

This event type can be added multiple times to a policy or multiple policies can be created to allow defining different sets of password rules. For different sets of Active Directory accounts and/or Active Directory Perpetrators.

Example

The goal to create a password enforcement policy for the organization’s users. However, senior executives require a different or stronger set of password rules. This is done by creating a single policy with the Password Enforcement event type added twice.

Configure one event type with the desired password rules for all users.

l Identify the senior executives on the AD Account filter tab using the Allow option

l The users selected are not held to the password rules configured

Doc_ID 371 248

Configure the other event type with the desired password rules for the senior executives.

l Identify the senior executives on the AD Account filter tab using the Block option

l The users selected are held to these password rules

With the v7.0+ StealthINTERCEPT release, a client-side module is provided in the installer to provide end user feedback for why their password does not meet the complexity requirements of the Password Rules policy. This feature is inactive by default but can be installed on the Domain Controller to be implemented across the environment. See the EPE User Feedback Module section of the StealthINTERCEPT Installation & Upgrade User Guide for additional information

StealthINTERCEPT for Exchange Solution Event Types The following Event Types are available for the Solution Overview:

l Exchange Changes Event Type

l Exchange Lockdown Event Type

These event types are available through the following Licensed Modules:

Licensed Module Available Event Type

Exchange Events Module Exchange Changes Event Type

Exchange Lockdown Module Exchange Lockdown Event Type

*Requires Exchange Events Module

Exchange Changes Event Type The Event Filters for the Exchange Changes Event Type are:

l Exchange Event Filter for Monitoring

l Exchange Mailbox Objects and Containers Filter

l Exchange Trustees Filter

l Exchange Perpetrators Filter

l Rule Preview Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

Doc_ID 371 249

Exchange Lockdown Event Type The Event Filters for the Exchange Lockdown Event Type are:

l Rule Preview Filter

l Exchange Mailbox Objects and Containers Filter

l Exchange Trustees Filter

l Exchange Perpetrators Filter

l Rule Preview Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

After enabling an Exchange login blocking policy, mail clients with existing connections to Outlook, OWA, PowerShell, EWS, ECP, and ActiveSync will not be blocked while the existing connection remains. See the Troubleshooting within the SI Admin Console section for information on resolving this.

NOTE: There are additional factors to consider in order to block delegations through Outlook. See the Troubleshooting within the SI Admin Console section for additional information.

StealthINTERCEPT for File System Solution Event Types The following Event Types are available for the Solution Overview:

l File System Changes Event Type (Windows and/or NAS)

l File System Lockdown Event Type(Windows only)

l File System StealthAUDIT Event Type (Windows only)

l FSMO Role Monitoring

The File System Changes Event Type and File System Lockdown Event Type only generate event monitoring and blocking data for StealthINTERCEPT. The File System StealthAUDIT Event Type only generates event monitoring data for the StealthAUDIT Management Platform. To generate the same data to be accessible for both products, it is necessary to create a single policy with both Event Types assigned. See the File System StealthAUDIT Event Type section for further information.

These event types are available through the following Licensed Modules:

Doc_ID 371 250

Licensed Module Available Event Type

File System Module File System Changes Event Type

File System Lockdown Event Type

File System StealthAUDIT Event Type

File System Changes Event Type The Event Filters for the File System Changes Event Type are:

l File System Filter for Monitoring

l File System Paths Filter

l AD Perpetrator Filter for Monitoring

l Success Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

It is necessary to select paths/collections to be included or excluded on the Paths filter within the target File System. The policy monitors the path/collection from the SI Agent used to select it for the filter which is indicated in the parenthesis after the path/collection. The path/collection can be monitored by other SI Agents by selecting them on the Additional Agents filter.

NOTE: Any files or folders to be excluded need to be a subset of a folder identified in the Include Paths section.

If no path is provided, an error message displays when the analytic policy is enabled: The policy must have at least one path to monitor defined.

Example:

l Paths filter – Paths identified:

l C:\Documents and Settings (EXAMPLE\server1)

l C:\Users\All Users (EXAMPLE\server2)

The above configuration in a policy results in the SI Agent on server1 monitoring only the C:\Documents and Settings folder and the SI Agent on server2 monitoring only the C:\Users\All Users folder.

Doc_ID 371 251

l Paths filter – Paths identified:

l C:\Documents and Settings (EXAMPLE\server1)

l C:\Users\All Users (EXAMPLE\server2)

l Additional Agents filter – Agents selected:

l EXAMPLE\server1

l EXAMPLE\server3

By adding the SI Agents on server1 and server3 in the Additional Agents filter, then server1 and server3 monitor both folder paths, but server2 still only monitors the C:\Users\All Users folder.

Event data collected by the policies with this Event Type are also available for consumption by StealthAUDIT if the File System StealthAUDIT Event Type is used by the same enabled policy.

Monitor NAS Devices Monitoring a NAS device first requires the Stealthbits Activity Monitor to have a deployed activity agent configured to monitor the device. An SI Agent must be deployed on the same Windows server hosting the activity agent configured to monitor the NAS device. Once monitoring has been started, Follow the steps to configure an SI policy to monitor file system changes.

NOTE: This does not change what the Stealthbits Activity Monitor agent is monitoring. It reads information collected by the Stealthbits Activity Monitor and applies any additional filters defined in the SI policy. Therefore, it is necessary for the Stealthbits Activity Monitor agent to be configured to monitor the desired activity.

Step 1 – On the Event Type tab of the policy, add the File System Changes Event Type.

Step 2 – In the Event Filters section, select the File System Paths Filter filter tab and select the Add Paths button to open the Select File System Objects Window.

Remember, any files or folders to be excluded need to be a subset of a folder identified in the Include Paths section.

Step 3 – Connect to the SI Agent deployed to a Windows server hosting the activity agent. The local drives of the Windows server and all NAS devices being monitored by the activity agent are listed in the Navigation pane.

Step 4 – Select the NAS device in the Navigation pane, and type the path(s) to be monitored by this policy in the Results pane, one path per row. The paths entered can be file or folder names.

For example, type C:\HR\NewHireProcess.doc for a NAS device with the IP Address of 192.168.16.188, and it displays in the paths list as C:\HR\NewHireProcess.doc (\192.168.16.188)

Doc_ID 371 252

Unlike Windows path, NAS paths are not validated by StealthINTERCEPT. It is up to the user to accurately enter the path of the file or folder to be monitored. The format of the paths needs to match the data in the .tsv files produced by the Stealthbits Activity Monitor agent. The Search feature within the Stealthbits Activity Monitor can be used to validate path formats. See the Stealthbits Activity Monitor Installation & Console User Guide for additional information.

Step 5 – Click OK to close the Select File System Objects window.

The NAS paths are now added to the list of paths to be monitored.

File System Lockdown Event Type The Event Filters for the File System Lockdown Event Type are:

l File System Filter for Lockdown

l AD Perpetrator Filter for Lockdown

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

It is necessary to select paths/collections to be locked down on the File System filter. The policy will lockdown the path/collection from the SI Agent used to select it for the filter which is indicated in the parenthesis after the path/collection. The path/collection can be locked down by other SI Agents by selecting them on the Additional Agents filter.

If no path is provided, an error message displays when the analytic policy is enabled: The policy must have at least one path to monitor defined.

Example:

l File System filter – Paths identified:

l C:\Documents and Settings (EXAMPLE\server1)

l C:\Users\All Users (EXAMPLE\server2)

The above configuration in a policy results in the SI Agent on server1 locking down only C:\Documents and Settings folder and the SI Agent on server2 locking down only C:\Users\All Users folder.

Doc_ID 371 253

l File System filter – Paths identified:

l C:\Documents and Settings (EXAMPLE\server1)

l C:\Users\All Users (EXAMPLE\server2)

l Additional Agents filter – Agents selected:

l EXAMPLE\server1

l EXAMPLE\server3

By adding the SI Agents on server1 and server3 in the Additional Agents filter, then server1 and server3 lockdown both folder paths, but server2 will only lockdown the C:\Users\All Users folder.

Event data collected by the policies with this Event Type are also available for consumption by StealthAUDIT if the File System StealthAUDIT Event Type is used by the same enabled policy.

CAUTION: Lockdown/blocking policies with blank filters result in everything being locked down or blocked.

File System StealthAUDIT Event Type The Event Filters for the File System StealthAUDIT Event Type are:

l AD Perpetrator Filter for Lockdown

l File System Agents Filter

l Processes and Configuration Filter

l Perpetrators to Exclude Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

This Event Type is specifically designed to capture Windows file system activity events for consumption by StealthAUDIT.

These events are not captured in the StealthINTERCEPT database, but are collected in a data file which can be read by the File System Activity Auditing collection component. See the StealthAUDIT File System Solution Admin Guide for information on this collection component.

Event data collected by the policies with this Event Type are also available for consumption by StealthAUDIT if the File System StealthAUDIT Event Type is used by the same enabled policy.

FSMO Role Monitoring The Event Filters for the FSMO Role Monitoring Event Type are:

Doc_ID 371 254

l FSMO Roles Filter

l Domains/Servers Filter

l AD Perpetrator Filter for Monitoring

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

StealthINTERCEPT for LDAP Solution Event Type The following Event Type is available for the Solution Overview:

l LDAP Lockdown Event Type

l LDAP Monitoring Event Type

This event type is available through the following Licensed Modules:

Licensed Module Available Event Type

LDAP Monitoring Module LDAP Lockdown Event Type

*Requires Active Directory Changes Module LDAP Monitoring Event Type

LDAP Operations Center

LDAP Lockdown Event Type The Event Filters for the LDAP Lockdown Event Type are:

l LDAP Filter

l Domains/Servers Filter

l AD Perpetrator Filter for Lockdown

l LDAP Query Filter for Lockdown

l LDAP Result Filter

l Rule Preview Filter

l Hosts (from) Filter for Lockdown

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

Doc_ID 371 255

This event type cannot be used in a policy with any other event type. It must be the only event type assigned to the policy.

LDAP Monitoring Event Type The Event Filters for the LDAP Monitoring Event Type are:

l LDAP Filter

l LDAP Runtime Filter

l Domains/Servers Filter

l Success Filter

l AD Perpetrator Filter for Monitoring

l LDAP Query Filter for Monitoring

l LDAP Result Filter

l LDAP Attributes Filter

l Hosts (from) Filter for Monitoring

l Rule Preview Filter

Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated like an "ALL" for that filter set.

NOTE: The LDAP Monitoring Event Type is specifically used to create LDAP Event policies. Use the LDAP Operations Center to create LDAP Operations policies.

This event type cannot be used in a policy with any other event type. It must be the only event type assigned to the policy.

Configure LDAP Monitoring for StealthDEFEND Follow the steps to configure LDAP monitoring for StealthDEFEND.

Step 1 – In the StealthINTERCEPT Administration Console, find and select the “StealthDEFEND for AD LDAP” policy template. If none is deployed, see the Import SI Pre-Created Policy Templates section.

Step 2 – Select the Event Type tab.

Doc_ID 371 256

Step 3 – Under Event Filters select LDAP Query. If the Include LDAP Queries list is empty, select the other LDAP Monitoring event type in the list above.

Step 4 – Scroll to the bottom of the Include LDAP Queries list.

Step 5 – Select the line below the last existing query filter and paste the string copied form StealthDEFEND. For example:

Remember, the Honeytoken tab of the SStealthDEFEND Configuration window must be configured in order to successfully send LDAP Monitoring data to StealthDEFEND.

General Tab The General tab is for editing the basic attributes of the policy. It is also the only tab where policy configuration differs from template configuration. A policy’s General tab includes the policy status which indicates whether or not the policy is enabled. This does not apply to a template and is therefore not on a template’s General tab.

Doc_ID 371 257

Policy General Tab Template General Tab

Policy Status

It indicates whether or not the policy is enabled. Click the button in front of the policy status to toggle between Disabled and Enabled. This setting is indicated for each policy within the list available on the Policies node of the Policies Interface, where Enabled is represented with a green dot and Disabled is represented with a gray dot.

Name

The policy/template name should be unique and descriptive. This information is visible for each policy within the list available on the Policies node of the Policies Interface and for each template within the list available on the Templates node of the Templates Interface.

Description

The policy/template description is optional but recommended. Since each policy can be configured to be as broad or narrow as desired, the name combined with the description should clearly explain what objects and events it monitors/blocks, where in the network it looks, and when it is active. This information is visible for each policy within the list available on the Policies node of the Policies Interface and for each template within the list available on the Templates node of the Templates Interface.

Tags

Tags are enabled as an organizational tool for templates only. Many preconfigured templates have tags which enable users to quickly find a desired template though various groupings. Tags do not create a duplicate template, but rather display the template in different folders under the

Doc_ID 371 258

TAGS node. Multiple tags can be identified for a template with a comma-separated list. New tags can be created which create a new folder under the TAGS node. Use the right-click Refresh option on the TAGS node in the Navigation pane to display new tags and/or display template-tag modifications. See the Policy Templates section for additional information.

History

The center section of this tab is automatically populated after a policy/template is created or modified.

It contains read-only historical information on who added the policy/template (Added by), when the policy/template was added (Added on), who made the latest modification (Modified by), and when the latest modification occurred (Modified on).

Schedule

The policy/template schedule is for setting the time period for policy monitoring/blocking.

Icon Label Represents

Indicates the policy is active at all times when Always Active enabled. This is the default setting

Doc_ID 371 259

Icon Label Represents

Indicates the policy is active only at the specified times when enabled. There are two options for setting the specified times: Active at Specified l Local Server Time – Schedule is set according to Times the local server’s time

l UTC Time – Schedule is set according to the Universal Time (UTC)

Any new policies created from templates automatically apply the template’s setting, which can then be modified as desired. This information is visible for each policy within the list available on the Policies node of the Policies Interface and for each template within the list available on the Templates node of the Templates Interface. Active at Specified Times is represented by a clock icon, and Always Active is represented with no icon, or blank.

Weekly Calendar

The weekly calendar at the bottom of the schedule section is where the specified times for the policy schedule is set.

Doc_ID 371 260

When the schedule is set to Always Active, the weekly calendar is grayed-out.

Doc_ID 371 261

When the schedule is set to Active at Specified Times, the weekly calendar is enabled. Each block of time on the calendar represents a 30-minute period.

l Blue blocks – Active times for the policy

l White blocks– Inactive times for the policy

The schedule can be set or modified by:

l Click an individual time-block to toggle between active and inactive for a single 30-minute period.

l Click a time-block in the All row to toggle between active and inactive for an entire column of blocks for all days of the week.

l Click a day block in the first column to toggle between active and inactive for an entire row of blocks for a full day.

All changes made to a policy or a template must be saved before leaving the configuration interface.

Recent Events Tab The Recent Events tab provides information on the events that have been recently monitored or blocked by the selected policy. See the Investigate Interface for recent events monitored or blocked by all policies.

Doc_ID 371 262

The Recent Events tab has the following options on the top toolbar:

l Recent [number] Events – Populates the data grid with the most recent events from the active policy. Use the textbox to change the default number of 100.

l Events for Last [number] Hours – Populates the data grid with hourly events. Use the textbox to change the default number of three hours.

l Range From/To – Displays only the events that occurred within the given timeframe

l Refresh button – Updates grid with any new events

l Show All Columns – Resets hidden columns to their default location on the data grid

l Export Data– Opens the Export window with export actions and options

Below is an example of how to use the Recent Events data grid Events for Last [number] Hours option:

Doc_ID 371 263

monitoring events is in London, UK (UTC +0). If the Refresh button is pressed at noon New York time, then the events displayed would have been monitored between 8 A.M. and 12 P.M. New York time, or between 1 P.M. and 5 P.M. London time.

The data grid can be filtered according to the Event Tracker Status:

l All

l New

l Reviewed

See the Event Tracker Window section for additional information.

The data grid for the Recent Events tab includes the following information for each event, listed below in the default order of the data grid columns: