Category: Announcements

EventSentry v6: Azure Logs, HEC, Sigma, Log Signing & More

ingmar.koecher 0 Comment Announcements, EventSentry, Security, Tools & Utilities

Azure Logs

Even though the shift to the cloud has slowed recently as many businesses are moving certain workloads back on-premise, Microsoft Exchange remains one cloud-based service that most organizations continue to embrace – despite its frequent outages. This doesn’t come as a surprise, as Microsoft has successfully devolved on-prem Exchange Server – the only viable alternative – into an unfriendly dragon that even experienced sysadmins won’t touch with a 10 ft pole. I’d rather compile the kernel of a rare Linux distro on a mobile phone than administer Exchange 2019.

Importing Azure logs was already possible in EventSentry v5.2 with a manual setup, but EventSentry v6 makes this significantly easier where this functionality is now fully integrated. Setting it up is easy and straightforward and utilizes the already-existing delimited log file feature that you may already be familiar with (which has also been simplified!):

  • Create Microsoft Cloud credentials
  • Create or reuse a log file definition (e.g. Azure Sign-In Logs)
  • Create a log file + assign the previously created credentials

It’s possible to assign multiple credentials to a single log file, for example if you’re a MSP that needs to monitor Azure Sign-In Logs from multiple clients.

Logs are downloaded by the new EventSentry Sync service which also converts the JSON-based logs to CSV format so they can be imported by the agent. You can configure how often logs are downloaded and whether temporary files are kept or deleted. Accessing the logs works just like accessing other on-prem delimited logs like DHCP, IIS etc. logs – via FEATURES -> LOGS -> Delimited Log Files in the web reports.

HEC: HTTP Event Collector

EventSentry already supports a variety of log sources like log files, Syslog, SNMP and more. The new HTTP Receiver – a new component in the network services – can receive remote logs via the HTTP protocol in either CSV or JSON format. The process is similar to the aforementioned Sync Service, only that the HTTP Receiver saves the received logs in a temporary directory where they are then picked up, converted (if necessary) and processed by the EventSentry agent.

Many network devices support exporting logs via HTTP, including Palo Alto, Fortinet, SonicWall and more. To enable the HTTP Receiver, simply navigate to “Network Services -> HTTP Receiver” in the management console.

Sigma

Sigma is a vendor-agnostic YAML-based format for the purpose of describing threat detection rules. This essentially allows security researches to write threat detection rules once – instead of having to convert them into one or more proprietary formats. You can then use commercial services like SOC Prime or tools to convert the Sigma rules into the format your SIEM uses. This allows security researches to focus on what they do best – identifying and documenting threats.

Here at EventSentry we think that converting Sigma rules into event log filters is boring, so we added native Sigma support to EventSentry. This means that you can take a Sigma rule “as is” and simply paste it into an event log filter. There are a number of benefits with this:

  • Sigma rules are evaluated at the agent – in real time
  • No need to convert Sigma rules
  • Ability to create complex detection rules in Sigma format

We hate to admit it, but Sigma rules can actually support more complex rules than EventSentry’s content filters. For example, with Sigma you can match conditions like

(event id = 1 and text includes “myapp.exe”) or (event id = 2 and text includes “thisprogram.exe”)

Log Signing

Cryptographically signing logs is sometimes necessary for regulatory compliance and in high-security environments. Log signing essentially ensures that collected log data has not been removed or tampered with. Implementing log signing is a fairly complex endeavor and we solved it in a fairly straight-forward, simple way in this first implementation.

Event log & Syslog data can now be cryptographically signed by storing log data in a text file (“File Action”) and signing the created files using OpenSSL, which is now included in the latest installer. Signing log data in files has a number of advantages:

  • The existing mechanism for consolidating log data in the database remains unaffected
  • Signed logs can be stored on any medium that exposes NTFS/SMB, including WORM
  • Log destination can be in a completely different security context – blocking EventSentry admins from modify access

Even when the signed logs are stored on the same server where EventSentry is installed, timestamping ensures that the logs cannot be modified & resigned without detection. By default, new log files are created & signed every minute, reducing overhead and making it easy to detect deleted logs.

It’s important to note that viewing & verifying logs is a manual process and requires the use of an (included) command-line script.

Anomaly Baseline

Anomaly detection not only helps detect anomalies like new processes, but can also visualize the collected data to and provide insight into activity on servers and endpoints. For example, anomaly baseline can show:

  • all parent/child process relationships
  • all user/process relationships
  • all DLLs loaded by a process (requires Sysmon)
  • all User/Pipe connections

Anomaly baseline data is automatically populated if an anomaly filter is configured to use the collector, as such it’s recommended to enable “Filter on Collector” for all anomaly rules.

Web Reports

You can now activate HTTPS in the web reports without having to run scripts and edit configuration files – simply enable HTTPS while setting up the web reports and the rest is done automagically for you!

All hosts can now be assigned a physical location, which can then be used to filter search results on all search pages. Additional map-based pages will be added in future releases.

A new auto-complete menu makes writing search queries significantly easier and more convenient:

Switch port mapping now includes an Overview tab which visualizes all switch port connections with an intuitive map that takes the new location settings into consideration as well.

In an effort to modernize the UI in the web reports and take advantage of new web technologies, support for Internet Explorer had to be dropped – as such you won’t be able to use IE to access the web reports anymore.

Other improvements include support for secondary LDAP servers, an improved collector status which now shows the TLS version, the last time the BIOS was updated and more.

Other Improvements & Features

OAuth support was added to email and HTTP actions – emails can now be sent via Office 365 and Google’s GMail without using a SMTP server (the email dialog as been optimized as well). HTTP actions can authenticate with OAuth now as well.

EventSentry now also includes a secondary installer which can be used to install the collector, network services and heartbeat services on remote hosts. In the past, setting up any of these services required a lot of manual steps which are now automated with the new installer (ADMonitor is not included as it requires additional steps unique to ADMonitor).

Deploying EventSentry has also been simplified by supporting an unattended installation of the main EventSentry installer, including the web reports. Agent-based installations now also support an alias option (intended to be used with MSI-based agent installations), allowing the assignment of virtual host names at MSI installation-time to any agent.

Performance of the large file enumeration feature, which is part of disk space monitoring, has been vastly improved by scanning the MFT directly. This feature scans every monitored volume to find the 250 largest files, which can be time-consuming and large volumes and/or slower hosts. Scanning the MFT instead of the file system only takes a fraction of the time compared with earlier versions.

Sync Service

EventSentry v6 also sports a new service, the “EventSentry Sync” service. In addition to downloading Azure-based logs, the Sync service can also download validation script updates in the background and ensure that core EventSentry services are always running.

Users with an active maintenance agreement can download EventSentry v6 either from within the EventSentry Management Console, or by downloading the installer from the customer area. If you’re not an EventSentry customer yet then you can start an EventSentry evaluation.

EventSentry v5.2: Processes, Security & Inventory

ingmar.koecher 0 Comment Announcements, EventSentry , , , , , , ,

The latest iteration of EventSentry adds many powerful security features, continuing to enhance EventSentry’s ability to improve the security of Windows-based networks by strengthening its foundation and detecting suspicious behavior.

Local Inventory

EventSentry already provides an impressive inventory of monitored end points, including software, browser extensions, hardware, services, tasks and much more. Being added to the mix are:

  • Local User
  • Local Groups
  • (File) Shares

As such, you can now review all local users & groups that exist across your entire infrastructure, making it easy to identify administrative as well as suspicious or unneeded user accounts. Providing insight into all shared resources across the network again lets Sysadmins spot unnecessary or insecure local file shares.

Sysmon Management

The Sysmon utility, part of the Microsoft Sysinternals Suite, is a powerful, free add-on which is already tightly integrated in EventSentry via the Process Sysmon feature, which tracks network activity by individual processes. And while Sysmon is a great utility, it does have a major flaw: Deployment (or lack thereof). Installing and maintaining Sysmon is a manual process that doesn’t scale well across larger enterprises. But EventSentry users neither need to worry about maintaining the latest version of Sysmon nor keeping the Sysmon configuration updated – the new Sysmon management features takes care of both! Simply point EventSentry to the Sysmon URL (or a local copy), specify a configuration file (of course we ship one) and move on!

Tackle Compromised & Duplicate Active Directory Passwords

ADMonitor can now take advantage of two powerful features to strengthen the security of their Active Directory domains:

  • Identify Compromised Passwords
  • Identify Duplicate Passwords

ADMonitor can now query the haveibeenpwned.com web site to identify AD user accounts with a password that has been previously compromised in a data breach. A user account flagged by ADMonitor indicates that the password of this particular user has been part of a breach at some point – it doesn’t mean that this particular AD user account has been breached.

Multiple user accounts sharing the same password creates a number of security risks, but usually remains undetected. ADMonitor in v5.2 can now detect duplicate passwords, that is more than one AD user accounts using the same exact password.

Taking advantage of these new features – combined with the standard ADMonitor functionality and validation scripts – significantly strengthens the security of your Active Directory domain.

Threat Scoring

Events can now be tagged with a “threat score”, usually a number between 0 and 100. The EventSentry agent then keeps track of these threat scores, adding them up as they occur and issuing alerts if the threat score exceeds a certain threshold within a configurable time period. This is somewhat similar to the already-existing “Filter Chaining” feature, albeit more flexible since it doesn’t require creating separate packages. Filter chaining is still around however, especially since it allows specifying the order in which events occur.

A practical example of threat scoring is the detection of admin tools that are often utilized by attackers when they gather information from a compromised host. We’re talking about apps like whoami.exe, ipconfig.exe, reg.exe, wmic.exe, systeminfo.exe and the likes. Occasionally used by System Administrators and in isolation they are harmless – but more than one of these EXEs run in close succession can be suspicious and should trigger a review. Furthermore, some EXEs are more dangerous than others which the threat score can reflect. Running ipconfig.exe should have a lower threat score than wmic.exe.

The most obvious application for threat scoring will be event id 4688 which is logged when a new process is started, but it can be applied to any type of event – e.g. Logon events, Sysmon events and others.

Anomaly Detection v2: Fewer false positives

Anomaly detection, introduced in v5.1 is an easy way to flag potentially suspicious activity or detect previously unseen patterns: Logons from new users, new processes and more. For some use cases, like detecting new processes, anomaly detection could result in false positives. For example, a never-before seen process on Host A could be triggered again on Host B – since the anomaly engine run independently on each end point (agent).

In v5.2 anomalies can now be filtered on the collector, reducing most false positives if they occur on more than one host. Taking the previous example, the collector would suppress the “anomaly” flag on Host B since it was already registered by Host A earlier.

Searching Process Activity

Since EventSentry collects various process activity and information on multiple pages (process tracking, Sysmon, process status w/ netstat, services, …), adding a hybrid “Process Activity” page – similar to the current IP Activity & User Activity pages – became a necessity. This makes identifying (suspicious) processes extremely easy and fast – even stepping backwards through the parent processes. Process Activity supports searching through common process properties like process executable, PID and searches the following areas:

  • Currently Active Processes
  • Process Activity (Tracking & Sysmon)
  • Processing listening for incoming network connections
  • Services

Other New Features

  • Newly attached USB/BT keyboards are now detected and listed on the host inventory
  • Collector Client supports port knocking
  • Collector support for Process action
  • Process Spoofing Detection (identifying processes pretending/masquerading to be part of Windows)
Process Spoofing / Masquerading

Web Reports

PWA Support
On Chrome and Edge web browsers, the web reports can now be run as a “Progressive Web Application”, which delivers an app-like experience of the EventSentry web reports on desktops.

Dashboard Tiles
The Acknowledge Tile has been improved to support different output styles as well as queries, allowing users to create multiple tiles for different purposes.

Syslog RegEx Support
Since Syslog messages tend to be unformatted and, as such, sometimes difficult to interpret, the Syslog search now supports overlaying RegEx queries to format Syslog messages. This was previously only supported in the dashboard.

NetFlow Top Connections
This new NetFlow tile vividly displays your network’s key host connections. Uncover traffic patterns effortlessly and group data by IP address, hostname, country, and more for actionable insights.

Other Web Reports Improvements

  • Improved Dashboard Manager with Sorting
  • 2FA Email Authentication

EventSentray

The task-bar utility which can be automatically deployed with the agent and is also available in the free Sysadmin Tools, now includes an activity dialog which displays real-time information about process, file, scheduled tasks & service activity. But that’s not all – the new process/service dialog allows for conveniently terminating processes and controlling services.

EventSentry v5.1: Anomaly Detection / Permission Inventory / Training Courses & More!

ingmar.koecher 0 Comment Announcements, EventSentry, Monitoring , , , ,

We’re extremely excited to announce the availability of the EventSentry v5.1, which will detect threats and suspicious behavior more effectively – while also providing users with additional reports and dashboards for CMMC and TISAX compliance. The usability of EventSentry was also improved across the board, making it easier to use, manage and maintain EventSentry on a day-by-day basis.

We also released 60+ training videos to help you get started and take EventSentry to the next level. The videos will be available to everyone for free both on YouTube and in your account area.

Anomaly Detection

One of the best real-time event log monitoring engines got a lot smarter in v5.1 and can now detect unusual behavior like the following:

  • A user who never logged on to a server/workstation
  • A user connects from a remote IP from which he/she usually doesn’t normally connect from
  • A previously unknown process starts
  • A process loads a DLL it has never loaded before (requires Sysmon)

But the best part about the new Anomaly detection is that it’s customizable – so anybody can create their own anomaly rules based on their needs.

Anomaly filters utilize insertion strings of events, so they work best with well-formatted events from the security or Sysmon event logs.

EventSentry ships with a number of built-in anomaly filters, but watch the official training video to understand how anomaly filters work to create your own.

Database Maintenance & Web-Based DB Maintenance Jobs

Also new is the ability to schedule database maintenance jobs directly from the web reports – so it’s no longer necessary to create or edit (embedded) scripts, application or task schedulers just to keep your database size in check. Simply schedule a job in the web reports and review the results after the job completed. The maintenance jobs themselves have also been improved and will attempt to free up disk space after each purge cycle when using the built-in database.

We’ve also improved the database usage page, which now shows significantly more details about the database health, including trends to help identify features that are growing in size.

Dynamic Package Updates

Unlike validation scripts, which (can) automagically update in the background so you can enjoy the latest checks with the click of a button, package updates have been a bit slower and more clunky. But this is all in the past, as package updates use the same update engine like our popular validation scripts, and can now seamlessly keep select packages up to date.

As such, users with active maintenance agreements can expect a lot more package updates to be made available to help you detect and defend against emerging threats. This new functionality also allows you to apply filters rules in JSON format directly into the management console, e.g. from KB articles or blog posts.

Permission Inventory

Keeping NTFS file permissions clean and updated can be a tedious task, even when you follow best practices (e.g. create groups for each file share and assign permissions to those groups), it can be quite difficult to stay on top of all file shares and folders, especially in medium and large-sized networks.

To which files and folders does a user have access? Who has access to critical folders?

EventSentry’s new permission inventory enumerates configured folders and their permissions (on a configurable schedule – e.g. daily), and presents them in the familiar Summary/Detailed view, making it straightforward to answer exactly those questions.

Watch the official training video for more information.

Improved Features

Every database-enabled feature in EventSentry can now store data in multiple databases, something that was previously only available in select features. This will make it easier to store all collected data in an active as well as an archive database simultaneously.

ADMonitor can now send data through the collector, the only component in EventSentry that did previously not have support for the collector.

EventSentray

EventSentray now also shows the network utilization and sports a useful “Internet Test” dialog which can test various aspects of your Internet connection – something that’s especially handy for mobile endpoints (aka “laptops”). The official training video has more information on EventSentray and how to configure & deploy it.

Compliance

Compliance requirements like CMMC, PCI, HIPAA, NIST and others continue to evolve and affect more and more companies. As important as compliance frameworks are with providing structure and guidance, companies often find it difficult to apply what are often vague rules and requirements.

Our new CMMC v2 and TISAX reports/dashboards bring together many features in EventSentry and provide a real-time status and overview of your compliance status. And our new dashboards provide actionable data that can be used to increase the security of your network – not just check boxes.

Usability Improvements

While every EventSentry release tends to incorporate little tweaks and improvements, v5.1 features many usability and troubleshooting enhancements:

  • Insertion strings in filters (when available) now show the name of the string instead of just the number, making it a lot easier to create and manage complex filters.
  • The “Save Configuration” prompt in the management console would often be displayed even when no changes were made. This has been improved significantly and you should see this prompt much less often in v5.1, with more improvements planned in future versions.
  • A new “GoTo” button will jump to any item in the tree that contains the specified text.
  • Collector users can see collector health right in the management console without having to access the web reports, while the collector status page in the web reports also shows the collector latency and throughput of individual agents.

EventSentry Training

In addition to a EventSentry’s comprehensive documentation all users now have access to a 60+ free training videos – with a total runtime of over 10 hours – organized into playlists. All videos are accessible on our YouTube channel in the Playlists section, with a training section on eventsentry.com coming soon as well. We highly encourage you to browse the new training videos – they are useful for new users and experienced users of EventSentry alike. Please upvote videos you enjoyed, we’re also happy for any feedback!

EventSentry on GitHub: PowerShell module, templates and more!

ingmar.koecher 0 Comment Announcements, EventSentry, Pure Knowledge, Security ,

Since we’ve accumulated a lot of resources around EventSentry that are updated frequently, we’ve decided to launch a GitHub page where anyone can access and download scripts, configuration templates, screen backgrounds and our brand-new PowerShell module that is still under development.

We currently have 4 repositories available:

Scripts: Collection of scripts that can either be used in conjunction with EventSentry to enhance its monitoring capabilities or used independently to enhance security and automate tasks.

Configuration: Configuration templates for Ransomware and general security as well as a recommended Sysmon template.

PowerShell Module: The recently launched EventSentry PowerShell module supports the automation of a small number of EventSentry configuration tasks, such as managing hosts and groups, adding maintenance schedules and more. Note that the PowerShell module only supports a small number of tasks at this point. Feel free to request additional cmdlets via support.

Screen Backgrounds: 6 different desktop backgrounds that you should immediately apply to the desktop of your EventSentry server.

Of course we encourage collaboration, especially in the scripts and configuration repositories. Please contact us if you have any questions.

Validating your IT environment, discovering browser extensions & more with EventSentry v4.2

ingmar.koecher 0 Comment Announcements, EventSentry, Monitoring, Security, Tools & Utilities

This latest update to EventSentry improves your security posture with validation scripts, simplifies IT troubleshooting for both administrators and users, gives you visibility into installed browser extensions along with many other usability improvements in the web reports.

Validation Scripts

Proactively identifying (potentially) malicious behavior is the cornerstone of any security defense, and a key feature of log management / SIEM solutions. But many security violations are the direct consequence of incorrect or missing settings on endpoints.

Traditional log management solutions may show you when something is happening that shouldn’t be happening, yes. But wouldn’t it be better to assess key OS components and security settings on a regular basis, and identify known weaknesses?

Consider a motion-triggered camera that will let you know when somebody is snooping around your property at 3AM in the morning. That camera is extremely important, and the foundation of any serious property security system – without it, you wouldn’t even know what was going on!

But wouldn’t it be even better if somebody was inspecting your windows, fence and locks on a regular basis, to let you know if a door or window was unlocked, or an insecure lock was being used at one of the entrances? If your overall perimeter was more secure in the first place, there would be fewer potential intrusion attempts.

And that’s exactly what EventSentry’s 60+ validation scripts do. Our managed security & health checks continuously compare critical settings on your monitored hosts with our baseline, immediately indicating potential risks. These checks identify a wide variety of potential risks, such as:

  • A Windows server/workstation is not on the latest patch
  • Windows firewall is disabled
  • No A/V software installed
  • Insecure TLS protocols are enabled
  • Microsoft accounts aren’t blocked

EventSentry already includes a number of features that help detect security violations, rogue network devices, unauthorized software, suspicious network activity and more. But by utilizing the new validation scripts, you can fix many problems at the source – before they show symptoms.

The scripts are managed by NETIKUS.NET, updated regularly, and can be downloaded through the management console with a single click. Validation scripts are also tagged with keywords such as #server #compliance #stig-high-server to make sure that only relevant checks are assigned.

Which Browser Extensions are lurking in your network?

While web browser extensions can boost productivity and excite your end users, they also have inherent privacy and security risks. All major web browsers let users install as many extensions as they wish by default – without restrictions!

But do you actually know how many Firefox, Chrome or Edge extensions are installed on browsers across your IT infrastructure?

As an “extension” (no pun intended) of EventSentry’s software monitoring component, all browser extensions of Mozilla Firefox, Google Chrome and Microsoft Edge (Chromium-based) are inventoried with support for:

  • Alerts (extensions are installed/updated/uninstalled)
  • Searchable inventory

With this information at the fingertips, an initial discovery can be performed, a baseline set and reports or alerts can be received on a regular basis showing new extensions being installed.

Troubleshoot, Document & Support End Users with “EventSentray”

Supporting your end users has probably never been more challenging, considering they’re distributed all across the place and not conveniently squeezed into an office building anymore.

With the tray app “EventSentray”, your end users can submit support tickets to many common ticketing systems via email or HTTP requests right from the tray with a customizable link. And the best part? Support tickets created by the app not only include pertinent system information (current CPU %, host name, uptime, …) but can also include a current screenshot.

But we didn’t just design the tray app to give end users a way to submit support tickets right from their desktop, but also to help sysadmins.

Let’s be honest, when we log on to a server then it’s often because something isn’t working the way it should. Wouldn’t it be nice if one had easy access to information like:

  • CPU, Memory, Disk Usage & Utilization
  • Top 3 apps consuming CPU and memory
  • IP address, host name and connection speed
  • Whether the host needs a reboot

Simply double-clicking the EventSentry icon and the System Information dialog will show all of the above information – and more. Hovering over the charts will reveal additional hardware information as well.

And for those working in teams with shared responsibilities, right-clicking the tray app also lets you add notes (including a screenshot) for the monitored host. Those notes are then visible in the web reports and ensure that everyone on your team is on the same page when you make significant changes to a server or workstation. Documentation is key!

Tracking Administrator Activity

Many compliance frameworks require that you track activity by Administrators (e.g. Domain Admins) on your network. ADMonitor users now have the ability to filter all compliance reports (e.g. Logon Activity, Process Activity) to only show activity from users with domain admin privileges.

Dashboard Import / Export

To make setting up dashboards easier and faster, EventSentry now ships with a number of dashboard templates that you can import. You can also export your own dashboards and import them on another EventSentry installation.

Webcam & Image Dashboard Tiles

The latest edition of the web reports includes a number of dashboard improvements, but the new image / webcam tile type definitely sticks out.

With the new “Image” tile you can point the web reports to a static image or stream to be displayed on any dashboard!