- Smart App Control: Protect Windows 11 against ransomware - Thu, Dec 8 2022
- New features in VMware vSphere 8 - Mon, Dec 5 2022
- Split-brain DNS deployment using Windows Server DNS policy - Wed, Nov 30 2022
Many SIEM systems on the market today promise to help with the security challenges organizations are facing. However, one in particular, EventSentry 4.1 by Netikus.net, is a hybrid SIEM solution that promises to provide the security visibility you need in your environment simply and effectively, including monitoring changes and real-time alerting.
What is EventSentry? ^
EventSentry lets you monitor the performance, compliance, and security of your network. This "hybrid SIEM" solution provides real-time actionable information on what is happening on your network in a simple and easy to understand way.
Key features of the solution include the ability to:
- Correlate and monitoring events
- Monitor Active Directory (AD) for changes
- Track processes, logons, file access, account management, and policy change events for compliance regulations like the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS), and others
- Visualize the metrics and data gathered from your network, including sophisticated log searching
- Extend the solution's functionality via new scripts integrated into the monitoring environment
The brief description of features listed above contains a lot of functionality. EventSentry's very robust offering provides insight into very complex environments with many different end nodes, log sources, AD objects, and more.
EventSentry 4.1 new features ^
Netikus introduced a lot of new features in EventSentry 4.0, and they have continued to build upon many of these enhancements. In the 4.1 release, EventSentry has focused attention on the following areas:
- ADMonitor enhancements: Password expiration notifications
- Pending reboots, BitLocker & battery health monitoring
- Performance visualization enhancements
- Enhanced mobile monitoring
- Managed service provider (MSP) support, security features, and web reporting
Let's look at what's new in each of these areas.
ADMonitor enhancements ^
The new ADMonitor added in version 4.0 provides native AD monitoring which can show object changes as granular as the attribute level. With the hooks into AD starting in v4.0, EventSentry 4.1 takes this a step further and adds Windows password reminders.
This new feature allows sending out daily password expiration emails directly to end users when their passwords are close to expiring. The user email addresses can either be built from one of the supported user attributes (e.g. first name, last name) or you can simply use the email address attribute if configured.
Password changes are essential for the security of AD environments and for meeting compliance regulations. Being able to send out password expiration reminders helps ease the burden on help desks as end users can get passwords changed ahead of time.
You can find this under Reports > Jobs > Email User Password Expiration Reminders.
Pending reboots ^
How many times as an IT admin or operations engineer have you seen a pending reboot make a server unstable or produce odd system errors? Pending reboots can potentially lead to many different issues in an environment. Windows servers may have pending reboots from Windows updates or other software installations.
EventSentry 4.1 lets admins see whether there is a reboot pending on each machine in the host inventory. In addition you can build reports based off the attribute of these machines across your entire environment to see which ones are pending a system reboot.
This helps admins be more proactive about maintenance periods and provides details about the state of machines that could become unstable due to pending reboots.
Performance visualization enhancements ^
Prior releases of EventSentry limited the sources of your performance monitoring data and performance visualizations to Windows performance counters and more traditional sources like Simple Network Management Protocol (SNMP) management information bases (MIBs).
With EventSentry 4.1 you can now utilize the output of any data source that has as its source an executable or script that produces data that EventSentry 4.1 can consume.
In a live demo, Netikus shows that EventSentry is able to produce performance visualizations based on stats from a wide range of sources. They display air pollution stats from four major US cities along with the global parts per million (PPM), courtesy of data from the Environmental Protection Agency (EPA).
Enhanced mobile monitoring ^
At the time of this writing, and with the COVID-19 pandemic raging across the world, most organizations are managing and monitoring a much larger remote workforce than before. Having tools that provide better visibility into remote hardware security helps keep remote, business-critical data appropriately secured. Are laptops in use encrypted with BitLocker?
With EventSentry 4.1, this is an easy attribute to query across your hardware by viewing both BitLocker-encrypted drives and those running without encryption. If you take advantage of the chassis type as well, then the query can be restricted to only show laptops – resulting in actionable reports.
In addition to showing the state of BitLocker encryption, EventySentry 4.1 can query the health of batteries in laptops running across your organization. Again, especially with the current world situation and the continued need for an increased remote workforce, being able to see the state and health of laptop batteries allows proactively heading off issues related to failing batteries.
MSP support, security features, and web reporting ^
EventSentry already focuses on MSP use with granular permissions and multitenant support. However, Netikus has enhanced this in v4.1. Now both the heartbeat and network services components integrate with the collector and do not require a direct database connection. EventSentry transmits the data from the customer's network directly to the collector – managed by the MSP.
Besides BitLocker drive detection, EventSentry 4.1 adds a Changes view to the host inventory information. This provides a great way to see detailed changes that have happened to the monitored hosts. This is useful from many different angles including security, troubleshooting, and regulatory compliance.
In addition to a complete UI refresh, EventSentry has much more powerful web reports in this release as well as the ability to acknowledge additional message types.
Online EventSentry database ^
Another complimentary service Netikus provides is the online database system32.eventsentry.com. System32 is a very comprehensive compilation of Windows security and audit events. It tells you how certain Windows events are related, whether you should monitor them, which audit settings are associated with the events, and much more. Recently, they added a couple of new tools to the system32 offering.
- The TLS validator allows you to validate any public HTTPS website certificate to ensure its validity.
- The compliance validator analyzes the audit settings of any host on your network and matches them against major compliance requirements. It then highlights any problems with the audit policy.
Impressions and wrapping up ^
I found EventSentry 4.1 to be a very well-rounded tool for gathering helpful insights into what is going on in your network. The logging, event correlation, alerting, and other features found in the product will no doubt bolster the security and compliance stance of your environment.
Netikus has added excellent features to the 4.1 release that give you even more visibility into your network - and especially into AD. The System32 website is a great compilation of Windows events and auditing information. The new compliance validator and TLS validator provide useful additions to the site. These tools help with compliance initiatives as well as verifying the validity of public SSL certificates and sites.
Subscribe to 4sysops newsletter!
Download a full-featured trial version of EventSentry here.