LME v1.4.0 New Active Directory Log Integrations and Dashboards #396
NVivero
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
LME Announces Active Directory Log Integration and New Dashboards
CISA announces enhancements to LME, including additional Active Directory (AD) log integrations and dashboard configurations. These updates expand monitoring capabilities and improve data analysis, enabling users to gain deeper insights and make more informed decisions.
Previously, LME leveraged basic AD logging along with Sysmon to provide security visibility. By enabling more AD audit policies, LME will now generate logs for events that Sysmon alone could not monitor. Because AD logs and Sysmon gather information in different ways, they act as two separate log sources. Consequently, the subset of the new AD log integration that overlaps with information gathered by Sysmon enables users to have greater confidence when reviewing their logs.
New AD Log Collection Features:
• User Login Activity: Detects unauthorized access attempts and credential usage. This includes alternative ways to logon to the network, such as special logons. Changes to Kerberos policy and password hash access is also now monitored.
• Process Creation and Termination: Tracks the creation and termination of processes to identify potential malicious activities.
• Remote Procedure Call (RPC) Activity: Monitors RPCs for unusual or unauthorized operations.
• File System Activity: Tracks file and folder activities, enabling comprehensive monitoring of access and modifications. This will log when files or folders are accessed including shared files and folders. This also logs events whenever scheduled objects are added, changed, or deleted.
• Internet Protocol Security (IPSec) and Firewall Activity: Monitors network security, providing users with enhanced visibility into their network security posture, ensuring that firewall rules and IPSec policies are enforced properly.
• System Integrity Compromises: Audits events that violate the integrity of the security subsystem. Lost events during an audit, client-impersonating invalid local procedure call (LPC) ports, unauthorized remote procedure calls (RPCs), invalid hash value of an executable file, and unexpected cryptographic tasks are all examples of system integrity compromises.
• Group and Account Management: Oversees changes to user groups and accounts to prevent unauthorized access. Distribution, security, and application group activity is now all monitored. Activity such as when members are added, removed, modified, or the type of group is changed. Computer and user account activity is also monitored. This includes when accounts are created, changed, deleted, locked out, or get reset passwords.
• Registry, Kernel, and Security Account Manager (SAM) Insights: Tracks registry, kernel, and SAM changes to detect potentially harmful modifications.
New Dashboards to Visualize and Analyze Collected Log Data:
• Policy Changes and System Activity Dashboard: Monitors firewall status changes, policy modifications (firewall, audit, Kerberos), PC power events, and RPC connection attempts across the domain.
• Identity Access Management Dashboard: Tracks critical security events related to identity and object access, including registry and password hash access, task scheduler changes, password resets, account lockouts, and domain password policy modifications.
• Privileged Activity Log Dashboard: Audits sensitive and non-sensitive events, tracking privileged service attempts, process creation/termination, and token creation per host.
• Credential Access Log Dashboard: Monitors logon/logoff events, including explicit credential use, account lockouts, special logons, disconnections, and Kerberos authentication services per host.
LME Announces Preview of 2.0
LME 2.0, to be released at the end of 2024, will introduce significant enhancements and features while maintaining its free and open-source nature. LME 2.0 aims to simplify adoption, increase security, and enhance logging, detection, and response functionalities. The update will include key architectural improvements. LME 2.0 will introduce:
• Enhanced Threat Detection and Response: LME 2.0 introduces a new architecture that integrates Wazuh’s open-source tools with Elastic’s fleet and agent orchestration. This integration strengthens LME’s capabilities in threat detection and response, providing users with a more robust security monitoring solution.
• Security-Focused Design: Apply CISA Secure by Design principles, using advanced containerization and encryption for least privilege and data protection.
• Simplified Installation: Streamlined deployment process utilizing Ansible scripts for automated installation, clearly separating data storage from configuration to minimize complexity.
• Modular Dashboards: Provides customizable data visualizations, allowing organizations to tailor dashboards to their specific needs for more effective monitoring and decision-making.
Feel free to comment below!
Beta Was this translation helpful? Give feedback.
All reactions