I'm Sean Barker, Product Manager at Quest Software. I'm going to go through some of the features that you'll have seen added to your On Demand Audit subscription over the last couple of months. I'll start with some of the additional indicators of compromise, IOCs that we've added to the critical activity widget, and then I'll take you to the interactive visualizations and how those can help you speed your investigations.
So most organizations that run On Demand Audit also run Change Auditor, and that's because Change Auditor is used to do all the auditing of the On-premises Active Directory activity and log on activity. And then those events are fed up into On Demand Audit and they form part of the On Demand Audit Dashboard and the Critical Activity widget that we'll go through now.
Critical Activity is one of the widgets in the dashboard and it contains all the IOCs that you should keep an eye out for. And to make it easy on you, Audit Health widget prompts you to subscribe to the Critical Activity and the Anomaly Detection Alert Plan. So you don't have to know exactly what to look for, you can just sign up for the Alert Plan at any time, Change Auditor, and on Demand Audit Detection Indicator of Compromise. You'll get an email alert on it.
So there are two types of alerts in the Critical Activity page. The first are the IOCs, so specific events that are of concern in your environment. And the second are Anomaly Detection, these ones with the exclamation mark.
So we've added a number of IOCs over the last couple of months. The first one here is a DCShadow, so this is On-premise Active Directory using a tool like Mimikatz to elevate an ordinary computer to appear as a domain controller. And the reason that adversaries do that is so they can replicate a copy of the AD database and then they've got all your password hashes.
And that's similar end goal to the DC Sync or the AD irregular domain replication IOC where you basically take advantage of the fact that you've gotten access to the domain replication permissions to stand up what looks to be a DC and take a copy of the AD database their replication. And again, once you've got a copy of the database then you've got all the password hashes and access to any of the privileged accounts you want. We've also added IOCs for any links that have happened at the domain level for group policies. Obviously, group policies are critical way that attackers can use to deploy settings that will help them infiltrate the environment. So anytime a GPO is linked to the domain level, that's something that's of concern and something you should look into.
And we've added some IOCs around changes to the service principal name SPN attributes, which would indicate that user objects are susceptible to kerberoasting attacks also possible privilege elevation. So changes that have happened to the admin account attribute, for example, that would show that an ordinary user has been added to a built-in privileged group.
And one of the IOCs that doesn't appear in this list that we've added recently are irregular sIDHistory attribute changes. So if you suddenly see that a SID has been added to an object that's in the same domain, that's highly suspicious. So that would-- is another IOC when pop up as an alert in this widget.
And so the second part of the new capabilities are these interactive visualizations. So the first step is you get an alert there's been an indicator of compromise and you need to investigate that. And On Demand Audit is focused on making those investigations as easy and as quick as possible for you. So now these visualizations are fully interactive. First thing is I can take any of these slices, so in this case these are the different groups that have-- critical groups that have had membership changes. And if I click on that, I'll go right to the list of events for that particular group. So it allows me to drill down immediately from a specific element of that visualization to the events that underlie that element.
So these visualizations allow you to drill down but they're also interactive. So for example, if I have a lot of elements, in this case, a lot of critical groups that show up in this graph I can remove the noisiest ones here. And as I remove certain elements in the graph, it makes the smaller ones more prominent, easier to look into and to drill into deeper.
Now let's look at one of the anomaly detection critical activity alerts. So anomaly detection is looking at patterns in the environment across your tenant, or your on premise Active Directory, and showing you when there's been an increase, suspicious increase, of activity. So in this case, these are successful tenant sign ins and we've had this anomalous spike which is way off the baseline. And again as with the previous visualizations, I can take any data point in this graph, click on it, and drill into it.
So in this case, I'm looking at the anomalous number of successful AD Sign-ins. So historically, what we had is a list of all of these signs and I could go through the individual events. The new interactive visualizations are going to make it so much easier to determine if this is all these anomalous sign-ins are coming in from a one user or coming in from a whole series of users. Maybe it's just one user that's been compromised. Maybe it's a number of users that are falling victim to a password spray attack or a dictionary attack.
So with the new interactive visualizations, I can now configure any search, whether it's built in from the critical activity widget or one that I create myself, to display as a visualization as well. So I
