You need to know who is generating the events on your network before you can begin to do user behavior analysis or detect anomalous activity. By “who”, I mean both the user account and the computer or device.
But this is by no means easy because so many of the logs we deal with are collected at the network level and only bear IP addresses. When you see an internal IP address, you need to know if it’s a printer, network device, appliance, server or workstation or something else. If it’s a server, what kind of server, OS, and its workload and applications. If it’s a workstation – whose workstation. What department are they in? Job title? Manager? And of course, IP addresses aren’t static – especially with workstations using DHCP.
This isn’t just limited to identifying internal users and endpoints. When you see outbound traffic to a given IP address, what you really need to know is the DNS name the internal endpoint is using for that address. This is important because so many servers and resources are hosted in the cloud, and one IP address can service thousands of different DNS domain names. Blacklisting an entire IP address is often prohibitively broad. You can monitor outbound DNS queries against threat intel lists, but as soon as you see a DNS query to a suspect address, the next questions are:
- What kind of system sent the query?
- If it’s a workstation, who is the user?
- What kind of connection was made to that address subsequently? What protocol, volume, duration?
In this webinar, we will look at how to correlate logs from your DHCP server, logs and data from DNS servers, and LDAP identity information from Active Directory to answer these questions. We will get into the actual data, fields and formats of the logs, Windows DHCP and DNS servers and the specific attributes you need from AD, and how to find the right computer and user accounts in the first place starting with information in logs.
Pulling all this information from DHCP, DNS, AD, the Windows Security Log and network logs (IDS, NGFW, proxy servers, firewalls) and being able to put a name and computer identity on every event and packet, you will both speed up your investigations and allow you to do more investigations, but also make your threat detection much more effective.
Our sponsor is Rapid7 and you’ll briefly see how Rapid7 InsightIDR automatically correlates this data to find evil with just a few minutes of configuration.
Please join us for this real training for free session.