In a previous blog, we saw how ADAudit Plus’ user behavior analytics (UBA) capabilities allow administrators to monitor the file activity of users to identify anomalies. UBA in ADAudit Plus can also aid in identifying compromised accounts by monitoring users’ logon activity patterns. In this blog, we’ll look at how organizations can monitor unusual user logon activity to detect potential threats.
Tracking unusual logon activity
Imagine you have a disgruntled employee who wants to log on to a coworker’s account to steal important information. To do this, the rogue employee might try logging on from the coworker’s computer to avoid flagging a logon event from a machine the coworker doesn’t usually log on from.
After the coworker goes home for the day, the attacker may attempt to log on with several suspected passwords, eventually succeeding after only a few failed attempts. In this case, it’s unlikely that a volume-based logon failure alert would be triggered in the process. However, this rogue employee isn’t out of the clear yet—ADAudit Plus will detect the unusual logon time and raise an alert.
By determining the normal activity of users, ADAudit Plus’ UBA engine can generate alerts upon detection of unusual logon activity.
Without a UBA solution, chances are that these types of breaches will go unnoticed due to the low volume of logon failures. To track unusual logon activity with ADAudit Plus:
- Log in to ADAudit Plus.
- Click Analytics and select Unusual Logon Activity.
- Select Unusual Logon Activity Time and/or Unusual Logon Activity Time on Host to view the report of successful logons outside the general allowed time. See Figure 1.
Figure 1. Unusual logon activity time report.
Having a report of logon activity is nice, but most administrators don’t have time to review reports. This is where alerts come in handy. By default, UBA alerts are triggered through email notification, but you can configure these alerts to be sent via SMS as well.
To edit alert profiles:
- Select the Configuration tab.
- Go to Alert Profiles > View/Modify Alert Profiles, and select the desired profile.
- Click Configure to modify the alert profile. You can choose to be notified by email, SMS, or both.
- Click Update.
Upon configuring these settings, administrators will begin receiving alerts for unusual logon activity.
ADAudit Plus’ UBA engine alerts administrators about unusual logon activity of users. The analytics engine calculates a normal time frame for each user based on their past behavior. In case of a successful logon at a time outside the normal logon time frame, an unusual logon time alert will be triggered and sent to the administrator.
Read our white paper on UBA to learn more about how UBA can help you defend against insider attacks.