- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
Back in mid-2018, we looked at EventSentry 3.5. In this article, we're going to cover all the new goodies netikus.net has put into version 4 recently released. Chief among these is a whole new way to monitor Active Directory (AD), aptly named ADMonitor, but there are also other improvements.
If you haven't read our earlier reviews, the elevator pitch for EventSentry is that it's an affordable Security Information and Event Management (SIEM) tool that monitors your Windows/Linux systems and your network infrastructure. It gives your security staff insight into what's happening on your network.
This time around, I'm not going to review the installation and configuration of EventSentry—it's almost identical to version 3.5 and just as easy to install and configure. You can download a 30-day trial here.
EventSentry 4.0 main console
ADMonitor
Earlier incarnations of EventSentry had AD monitoring in the form of security event log and Windows auditing, which let you know about user, computer, and group changes.
An optional add-on for EventSentry 4.0 is a full-featured AD Domain Services (AD DS) monitor that keeps track of changes to all AD objects down to all individual attribute levels. It tells you what the values were changed from and to. It also tracks changes to Group Policy, gives you comprehensive user status reports (users who aren't logging in, users with non-expiring password, etc.), and no longer requires enabling of auditing in AD.
ADMonitor doesn't need to run on a domain controller (DC)—I did in my test installation, and it worked fine. During setup, it creates a service account you specify the password for. It'll create a copy of your AD database, which can take a bit of time depending on the size of your AD forest.
After database population, you can now run daily/weekly/monthly reports for object changes, Group Policy changes, and user status.
Group Policy monitoring
The object changes report lets you filter on the object type, such as group, user, or organizational unit (OU), as well as the action taken, such as modified, added, or removed, and on the user who performed the action.
ADMonitor Reporting
The user report gives you a list of all users, and you can filter based on whether they're administrators, if their passwords never expire or have expired, if they're locked out, the last logon dates, the account creation dates, and whether they have expiration dates.
ADMonitor report
There's no understating the importance of this. Keeping AD clean and getting rid of old accounts (especially service accounts) and unused groups can be a major undertaking, especially if the company has lacked governance and documentation in the past.
The main EventSentry web UI has many inbuilt reports, including ADMonitor based ones. This is also where you find the reports for Group Policy changes. Of particular interest are compliance reports so if your organization needs to adhere to PCI, FISMA, SOX, HIPAA, GLBAA, ISO 27000 or NIST 800-171 EventSentry has you covered for those.
ADMonitor Web Reports
The scheduled reports are valuable, especially for comparing changes over time. But I'm even more intrigued by the included ADMonitor Viewer, which lets you see changes to AD in real time. You can filter the results based on a string or pick from a template of search queries (see the screenshot below). You can also pick a time range, the action (create, modify, delete), object names and classes, and the user who performed the action. If you have a multi-domain forest, you can limit the scope to a particular domain.
ADMonitor Viewer
Best of all, you can configure real-time email alerts based on specific search criteria to flag particular changes (Domain Admins group changes, creation of new administrators, etc.) immediately.
In my years of being an IT consultant and working with many different AD deployments, I've never seen such a powerful and easy-to-use tool. I know many other tools do similar things, but this is simply an add-on to an already powerful SIEM. When it comes to keeping an eye on AD changes, this tool is fantastic. You can also save the resulting list of changes to a CSV or HTML file with very good control of the file content (see the screenshot below).
ADMonitor Viewer export file settings
ADMonitor is licensed on a per-user basis.
Other improvements
Version 4.0 brings other enhancements, such as an overhauled UI with a ribbon interface. The product also feels more responsive to use than the 3.5 version I tested last time. It's also got a built-in event viewer for working with Windows event logs that's much better than the native event viewer.
If you're using NetFlow in EventSentry (and you should), there's inbuilt threat intelligence, so it'll alert you about traffic going to malicious IP addresses, and it'll detect port scans.
Subscribe to 4sysops newsletter!
Conclusion
EventSentry is a very capable and affordable SIEM solution that's a central repository and alerting platform for all of your security events coming from Windows, Linux, and network devices. If you're looking for a SIEM solution, EventSentry should definitely be on your shortlist.
