Security threat monitoring in Change Auditor 7.1.1

Welcome. This is Quest Unscripted. A vlog series on trending topics. And Quest solutions related to Active Directory. Office 365 Oh, and don't forget Azure AD. You are here because you have questions. We're here because we have answers. I think. We will address questions we've received from customers-- Who experience the same challenges as you. All with the goal of helping you confidently move-- Manage And secure Your Microsoft environment. We call the show Quest Unscripted, because-- Except for this intro-- Nothing we say is scripted or rehearsed. And we're pretty sure you'll notice that right away. Hey, Brian and Bryan. I am looking at Change Auditor release notes 71.1.1, and, boy, it is packed with a lot of good new features. Some of them customers have asked for a long time. But let's get to it. And Brian Patton, I'm going to start with you. And I'm looking at the ability to audit and protect the Active Directory database. Can you tell us why is that important, and what's that new feature all about? So think about somebody trying to extract a copy of NTDS.dit file. We can now audit when people are trying to do that in terms of the event stream. And we can protect it and prevent it from happening as well. There is one caveat that I will urge all my customers to do, though. And that except an exclusion for your different backup tool that is accessing to get a backup of Active Directory. Wow. You're stealing my thunder. Yeah. That's really true, Bryan. That's a real problem. You need to make sure that, especially if you have Recovery Manager, you want to make sure Recovery Manager still has access to that .dit file to back it up. But there are a lot of offline attacks that you can do to an Active Directory database. So getting a copy of that for a hacker is a big deal. You don't want them to get a hold of that easily. So great, great new feature. Right. All right. I'm going down the list. There is enhanced security auditing, and there is, obviously, the-- it takes a lot-- Let's talk about that. There's an enhanced security auditing, irregular domain application. You know, so thinking about Mimikatz and built to run DC sync, which is one of the different commands you can use to get like the KRBTGT password hash. You can now be alerted when people are getting the different password hashes in your organization. The caveat here, though, is there's a lot of different accounts that get those different hashes on a regular interval. So if you're using the Ashra 80 connect, you'll start seeing a lot for an events port MSOL account that you have. So I'd recommend posterous of a different job for any account that MSOL's doing. But then maybe set an alert for any time an individual outside of that is doing DCC. You probably want to know about that. And in that purge job, Bryan, you might even want to specify the, your Android E connect server as the ones that you want to get rid of, because those are the ones you expect. Right? But if you're seeing that account being exploited from somewhere else, that could still be a really big security problem. So, so, so when your purging, keep that in mind. What was the other one the Kerberos tickets? Yeah. So speaking of alerts, so one of the things that we're now, obviously, we actually added the support in the previous release, but now, being able to detect Kerberos ticket lifetime changes, we can definitely set alerts to detect when that happens. And that's, Kerberos tickets are, that's how people get golden tickets. Right? They said a Kerberos ticket lifetime that, instead of the normal 10 hours, is more like 10 years. Exactly. So we see anything that's big. And what is it our default is 30 days? The default ticket for a Kerberos ticket is 10 hours. So it should be reproduction. Any time a ticket takes more than 10 hours, I recommend setting an learned to be aware of that. Yeah. But you could set an alert for whatever, whatever time you want. So that's good. And this is something that doesn't show up in the native event log. You don't see the ticket lifetime in the native event log. So it's one of the things that, as we're working with Change auditor in our hook into seeing this activity, we're pulling information out that you can't get natively. And it's great that you're mentioning it's not even the native event log. But one of the other features is seen tool integration. So we can push events from Change Auditor into like a Splunk or whatever use as your scene solution. So you'll be able to see that information in your screen if that's what your default. And Goslar, we've been doing that for quite a while now, actually, with some tools like a Q Radar. So true. But now any generic cis log listener can receive these different events, as well. Right. So you're enhancing, you're enhancing the security posture with Change Auditor. More choices. Correct. All right. Let me just finish with this. I know it's not 100% security focused, but for and for support. I don't know how many customers have asked us in the past if Change Auditor can support for and forced from a single coordinator or a single deployment. So why should customers be excited about this? Yeah. And it cuts down the amount of hardware you need to really deploy Change Auditor. Exactly. A lot of our clients have small forests that are just one or two DCs. Getting that forest supported in Change Auditor without having to deploy another coordinator is great news. One deployment, less infrastructure, still scalable, still can support large environments. Yup. I appreciate your time, guys. Thank you so much. Cheers.