EventSentry 4.1: Monitor expiring passwords, pending reboots, and performance metrics with a Hybrid SIEM

Effectively monitoring and correlating events across your environment can be challenging. EventSentry 4.1 is a hybrid security information event management (SIEM) solution to help secure, audit, and troubleshoot your environment based on events captured in it. In this review of EventSentry 4.1, we will look at the new features added in this latest release and see how they can benefit your environment.

Many SIEM systems on the market today promise to help with the security challenges organizations are facing. However, one in particular, EventSentry 4.1 by Netikus.net, is a hybrid SIEM solution that promises to provide the security visibility you need in your environment simply and effectively, including monitoring changes and real-time alerting.

What is EventSentry? ^

EventSentry lets you monitor the performance, compliance, and security of your network. This "hybrid SIEM" solution provides real-time actionable information on what is happening on your network in a simple and easy to understand way.

Key features of the solution include the ability to:

  • Correlate and monitoring events
  • Monitor Active Directory (AD) for changes
  • Track processes, logons, file access, account management, and policy change events for compliance regulations like the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS), and others
  • Visualize the metrics and data gathered from your network, including sophisticated log searching
  • Extend the solution's functionality via new scripts integrated into the monitoring environment

The brief description of features listed above contains a lot of functionality. EventSentry's very robust offering provides insight into very complex environments with many different end nodes, log sources, AD objects, and more.

EventSentry 4.1 new features ^

Netikus introduced a lot of new features in EventSentry 4.0, and they have continued to build upon many of these enhancements. In the 4.1 release, EventSentry has focused attention on the following areas:

  • ADMonitor enhancements: Password expiration notifications
  • Pending reboots, BitLocker & battery health monitoring
  • Performance visualization enhancements
  • Enhanced mobile monitoring
  • Managed service provider (MSP) support, security features, and web reporting

Let's look at what's new in each of these areas.

ADMonitor enhancements ^

The new ADMonitor added in version 4.0 provides native AD monitoring which can show object changes as granular as the attribute level. With the hooks into AD starting in v4.0, EventSentry 4.1 takes this a step further and adds Windows password reminders.

This new feature allows sending out daily password expiration emails directly to end users when their passwords are close to expiring. The user email addresses can either be built from one of the supported user attributes  (e.g. first name, last name) or you can simply use the email address attribute if configured.

Password changes are essential for the security of AD environments and for meeting compliance regulations. Being able to send out password expiration reminders helps ease the burden on help desks as end users can get passwords changed ahead of time.

You can find this under Reports > Jobs > Email User Password Expiration Reminders.

Setting up password expiration reminders in EventSentry 4.1

Setting up password expiration reminders in EventSentry 4.1

Pending reboots ^

How many times as an IT admin or operations engineer have you seen a pending reboot make a server unstable or produce odd system errors? Pending reboots can potentially lead to many different issues in an environment. Windows servers may have pending reboots from Windows updates or other software installations.

EventSentry 4.1 lets admins see whether there is a reboot pending on each machine in the host inventory. In addition you can build reports based off the attribute of these machines across your entire environment to see which ones are pending a system reboot.

This helps admins be more proactive about maintenance periods and provides details about the state of machines that could become unstable due to pending reboots.

EventSentry 4.1 shows pending reboots

EventSentry 4.1 shows pending reboots

Performance visualization enhancements ^

Prior releases of EventSentry limited the sources of your performance monitoring data and performance visualizations to Windows performance counters and more traditional sources like Simple Network Management Protocol (SNMP) management information bases (MIBs).

With EventSentry 4.1 you can now utilize the output of any data source that has as its source an executable or script that produces data that EventSentry 4.1 can consume.

In a live demo, Netikus shows that EventSentry is able to produce performance visualizations based on stats from a wide range of sources. They display air pollution stats from four major US cities along with the global parts per million (PPM), courtesy of data from the Environmental Protection Agency (EPA).

Performance visualizations can have as their source any executable or script that produces data

Performance visualizations can have as their source any executable or script that produces data

Enhanced mobile monitoring ^

At the time of this writing, and with the COVID-19 pandemic raging across the world, most organizations are managing and monitoring a much larger remote workforce than before. Having tools that provide better visibility into remote hardware security helps keep remote, business-critical data appropriately secured. Are laptops in use encrypted with BitLocker?

With EventSentry 4.1, this is an easy attribute to query across your hardware by viewing both BitLocker-encrypted drives and those running without encryption. If you take advantage of the chassis type as well, then the query can be restricted to only show laptops – resulting in actionable reports.

EventSentry 4.1 provides data about devices without BitLocker encryption

EventSentry 4.1 provides data about devices without BitLocker encryption

In addition to showing the state of BitLocker encryption, EventySentry 4.1 can query the health of batteries in laptops running across your organization. Again, especially with the current world situation and the continued need for an increased remote workforce, being able to see the state and health of laptop batteries allows proactively heading off issues related to failing batteries.

MSP support, security features, and web reporting ^

EventSentry already focuses on MSP use with granular permissions and multitenant support. However, Netikus has enhanced this in v4.1. Now both the heartbeat and network services components integrate with the collector and do not require a direct database connection. EventSentry transmits the data from the customer's network directly to the collector – managed by the MSP.

Besides BitLocker drive detection, EventSentry 4.1 adds a Changes view to the host inventory information. This provides a great way to see detailed changes that have happened to the monitored hosts. This is useful from many different angles including security, troubleshooting, and regulatory compliance.

EventSentry 4.1 audits changes detected on systems, which is useful for forensics

EventSentry 4.1 audits changes detected on systems, which is useful for forensics

In addition to a complete UI refresh, EventSentry has much more powerful web reports in this release as well as the ability to acknowledge additional message types.

Online EventSentry database ^

Another complimentary service Netikus provides is the online database system32.eventsentry.com. System32 is a very comprehensive compilation of Windows security and audit events. It tells you how certain Windows events are related, whether you should monitor them, which audit settings are associated with the events, and much more. Recently, they added a couple of new tools to the system32 offering.

  • The TLS validator allows you to validate any public HTTPS website certificate to ensure its validity.
  • The compliance validator analyzes the audit settings of any host on your network and matches them against major compliance requirements. It then highlights any problems with the audit policy.
Validate your audit policy settings against regulatory compliance standards

Validate your audit policy settings against regulatory compliance standards

Impressions and wrapping up ^

I found EventSentry 4.1 to be a very well-rounded tool for gathering helpful insights into what is going on in your network. The logging, event correlation, alerting, and other features found in the product will no doubt bolster the security and compliance stance of your environment.

Netikus has added excellent features to the 4.1 release that give you even more visibility into your network - and especially into AD. The System32 website is a great compilation of Windows events and auditing information. The new compliance validator and TLS validator provide useful additions to the site. These tools help with compliance initiatives as well as verifying the validity of public SSL certificates and sites.

Download a full-featured trial version of EventSentry here.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

1+
avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account