Insider Threat Report v2

by Josef Weiss
March 6, 2014

This report was completely re-worked and streamlined, and now includes New_User_Source events in two different formats. A new section resides under Chapter 2, titled 'New User Source Summary', and contains a New User Source User Summary and a New User Source Event List, as shown below.

The remainder of the report was altered for time. The original report had tables that presented the analyst with data ranging from 90 days to 30 days, depending on the section. All of the report items have now been reduced to a 7 day reporting period. This was change was implemented because of the enormous size of the report being generated on some systems. Corporate, for example, took over 3 hours and was 1800 pages in length.

The report now completes in a reasonable timeframe and still presents the analyst with all the new user account information.

This report displays details on new user events that have been found in your environment. The report is broken down into 3 main areas.

The first area is Graphs and Trends.

Graphs and Trends contains trend data on logins and login failures over a 7 day period, new users, new network users, and VPN logins from unusual sources.

This area of the report contains graphs and trend data on logins and login failures over a 7 day period, new users, new network users, and VPN logins from unusual sources.

  • Logins and Login Failures graph trends data types 'login' and 'login-failure' across a seven day time period, which allows the analyst to correlate login and login failure events concurrently during the specified time period.
  • New Users table presents data on the Normalized Event 'New_User', utilizing the User Summary tool, over a time period of ninety days. This event dynamically learns users that exist on servers and applications and alerts when it recognizes a valid login from a new user.
  • Network New Users table presents data on the Normalized Event 'new-network-user', utilizing the User Summary tool, over a time period of ninety days. The New-Network-User event records the first time a new user is ever seen on the network.
  • VPN Logins From Unusual Source table presents data on the Normalized Event 'VPN_Login_From_Unusual_Source', utilizing the User Summary tool, over a time period of ninety days. This event monitors several VPN login events and tracks users based on the source IP address of the login. Once it determines a user’s 'normal' source, it will alert on any unusual sources of logins for that same user.
  • New_User_Source events in two different formats. A new section, titled 'New User Source Summary', and contains a New User Source User Summary and a New User Source Event List.

The second area of the report is an iterator that presents users discovered by IP Address. Data is presented in a detailed manner that includes the IP Address, DNS Name, MAC Address, the users that have been discovered on the system via the plugin output (plugin 800001 - Users Discovered), as well as the first discovered and last observed dates.

The third area of the report is an iterator that presents a detailed user source summary. Data is presented in a detailed manner that includes the IP Address, DNS Name, MAC Address, the user accounts that have logged into remote hosts via the plugin output (plugin 800041 - User Source Summary), as well as the first discovered and last observed dates.

The report and its components are available in the SecurityCenter 4.7 Report app feed, an app store of dashboards, reports, and assets. The report requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.4
  • LCE 4.2.1