An action link is a clickable search link displayed to the left of a details page for an object. Action links are a way to enhance the cohesion of data that is linked in any way and enrich the context for the data you discover.
IT Security Search provides a number of action links out of the box. For example, you get the Files and folders owned by this user link when you view the details of a user and the Who changed permissions on this file link for a file. In addition to such bundled action links, you can define your own and bring them into your IT Security Search deployment using an import operation.
To define an action link, you need to create a valid YAML file that specifies the details of that link. A single YAML file can contain definitions of multiple action links along with definitions of saved searches. If action links and saved searches are in a the same YAML file, that doesn't mean they are associated with one another in any way. Each one is defined individually, and you can group them into files however you like.
The following is an example of two YAML-formatted action link definitions specified after saved search definitions in a single file. If you need additional information about the valid format, see the documentation at https://yaml.org.
SavedSearches:
...
ActionLinks:
- Name: Logons by this user
Query: 'Who:"{LogonName}" AND (What:authentication OR What:logon)'
Source: Users
Target: Events
Condition: '-Department:Management'
Tags:
- My company's action link kit
- OnPremise
- Name: Applications for this tenant
Query: 'objecttype="Azure Applications" AND Tenant:"{name}"'
Source: Azure Tenants
Target: Azure Applications
Tags:
- My company's action link kit
- Cloud
- Name: Find this event in Event-o-pedia
Query: 'http://eventopedia.cloudapp.net/?EventID={EventID}'
Source: Events
External: true
The following fields are required in an action link definition (mandatory fields are bolded):
Only IT Security Search administrators can import and reset actions links. To import action links, click the drop-down icon at the left edge of the search box and select Import. Note that both action links and saved searches are imported by this action. If you want strictly action links, don't include any saved searches in the *.yaml file intended for import.
NOTES:
|
To remove all custom action links and restore the default set, click the Reset Actions button, which is at the top of the Actions section in object details. Note that the button removes all custom action links for all object types and leaves only the default set.
The following examples explain how IT Security Search tools can be applied in practice to real-life situations.
To find events where a particular user is somehow involved (as the doer or as a subject), run a search for any of the variety of names that identify the user in the environment. You can supply the first name, last name, full name, logon name and so on.
The results of your search put the most relevant matching users at the top of the list. If there are too many matches, refine the results using facets.
From a different perspective, if you need to find a user whose name you are not sure about but whose manager's name you remember, try searching for the manager's name, then opening the details of the manager's user account and finding the user you are looking for among the manager's direct reports.
A typical use case is tracking the activity that involved a particular object, such as a file, folder, group or user account. You begin by finding this object; this provides a starting point and a context for your session. The next step is to use the links in the object's details view. This is the easiest way to create a context and filter out irrelevant data.
Another option is to start with events directly, especially if you expect to find specific events within a specific period of time. To specify the period, use the date range filter. The graphical timeline in the result grid can help you quickly locate peaks of activity that need closer examination.
For example, suppose you have discovered an unknown application called testaadapp in your Azure environment, and you want to know how it got there. To find the relevant events, run a search like the following:
testaadapp AND description:"add"
In the events that you find, use the Who link to discover who added the application.
You can learn a lot about a security incident just by looking at the initiator of an event and the account or object affected by the event. For this common pattern, the Who and Whom fields are defined for a variety of events. This gives you a consistent analysis tool, no matter what event fields the relevant data is actually stored in.
The technique is especially useful when you are looking at the account management activity of a particular user with administrative privileges.
IT Security Search provides quick access to information about files and folders owned by a user and all permissions assigned to the user; for that, use the Files and folders owned by this user, Files and folders where this user has direct permissions and Files and folders where this user has permissions (both direct and indirect) links in the details view for the user you are interested in.
Conversely, if you start with a particular file or folder, its details contain a table of permissions, which can prompt your further steps.
You can easily follow permission assignment activity using the Who changed permissions on this file and Who changed permissions on this folder links in the details view of a file or folder, respectively.
Object change history is available only if the Recovery Manager for Active Directory connector is enabled. For information about changes to an object and recovery tools, go to the History tab on the object's details page. This tab has two modes: Changes and Backups.
In Backups mode, the most recent backup states (three by default) of the object are shown, with details about how their attribute values differ from the current state. You can fully restore any of these states by clicking the Restore from backup link for that state.
In Changes mode, you have more fine-grained control and can view and roll back individual attribute changes. All changes recorded in the most recent backups are shown, including the "before" and "after" values, and you can sort them by attribute name or by date. To roll back individual changes, select their check boxes in the table and click the Revert to the previous attribute state link.
NOTE: In Changes mode, the date shown for a particular change is the date of the backup that contains information about that change. The date can be empty, meaning that the change is recent and has not been recorded in any backup state. |
You can track attempts to probe Active Directory prior to intrusion. One symptom of such activity is a trail of LDAP queries from unlikely workstations or by suspicious accounts. It may mean an effort to find vulnerable Active Directory accounts with administrative privileges. The following types of LDAP query in quick succession are telltale signs of this:
In IT Security Search, you can track such queries by running the following search:
What:"AD Query Performed"
In the search results, examine the LDAP - Attributes and LDAP - Filter fields.
In the following examples, trustedworkstation1 and trustedworkstation2 are computers where you don't consider running LDAP queries suspicious; with all other workstations, it's best to take a closer look.
Similar suspicious behavior often precedes pass-the-hash attacks that rely on stored password hashes. In this case, it can be accompanied by series of remote logon attempts to computers in the network. To capture such activity, you should also search for logon events that occurred around the same time as the LDAP queries you found.
See also the following topics for examples of investigations that IT Security Search can help carry out:
Suppose a critical file (such as a project roadmap or payroll file) is showing signs of tampering. You want to use IT Security Search to look into this.
To make the investigation as efficient as possible, make sure that data from the following sources is available:
You are about to examine the circumstances of file modifications, so it makes sense to start by finding the affected file. This will provide clues about where to go next and also mark a point (as a breadcrumb) that you can always fall back to, even if your next steps take you too far.
When you have found the file, open its full details and use the Who accessed this file link provided in that view. In the list of events that are found, find a "File changed" event and use the What facet to filter out other types of events. Try to spot any unlikely users in the list of file change events.
Suppose you find an event by a user who is not meant to have access to the file. Note the time of the event, and then open the details of the event and click the user name. In the the user details view that opens, click the Files and folder where this user has permissions link. If the file in question is not listed, that means the permissions have been rolled back by now—likely a piece of incriminating data.
You can also view the entire history of permission management for the file. Use the breadcrumbs to go back to the file details view, and click the Who granted permissions to this file link.
Use the breadcrumbs to go back to the user details view, and click the Activity initiated by this user link. Use the time range filter to restrict the results to a period around the time of the suspicious file modification. The results may reveal noteworthy details about the situation. Consider examining InTrust-specific user session events for the following clues:
In addition, check if there were any attempts to clear security logs.
Suppose a user complains about being unable to log in through VPN. Use IT Security Search to investigate and resolve the situation.
For best results, enable the following connectors:
You should start by searching for the David Shore user account, which is having problems. To get results quickly, use the Whom:"David Shore" query. This will take you directly to the events that affected the account.
Suppose the search results include group membership change events from InTrust and Change Auditor indicating that the user was removed from one or more groups. Examine these events and find the one about the group used for providing VPN access. Note that the timestamp of the event is later than the last Active Directory backup. Also note the other event details such as who did this.
In the breadcrumbs line, click the user name to open the user details, and go to the History tab. In the change history view on the Backups tab, locate the state before the VPN-related group membership change, and click the corresponding Restore from backup link.
VPN access for David Shore is restored now, and you know who interfered with his group membership.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center