How to Detect and Investigate Unusual User Behavior Using Netwrix Auditor 8.5

Netwrix Auditor is a visibility and governance platform that allows you to monitor changes, configurations and access in IT infrastructure of important IT infrastructure components such as Active Directory, Event logs, Exchange, Office 365, SQL Server, and others.


  • Installing Netwrix Auditor
  • Initial configuration
  • Generating reports
  • Change management
  • User Behavior Analytics
  • Add-on Store
  • Final points 
Systems administrators can generate “who, what, when, and where” change audit reports with minimal effort. Learn the basics of the Netwrix Auditor solution, including installation, use cases, and obtaining an evaluation version.

Imagine this scenario: you are an Active Directory administrator for your organization. Last weekend, news outlets in your part of the world break reports that customer data, including personal details, was leaked from your internal environment.

As part of the company’s remediation scenario, your CIO orders you to generate detailed reports of Active Directory account privilege use within the domain over the past two months. To generate the report, you plan to crawl the log data from your 4 domain controllers, 8 database servers, and 16 infrastructure servers. In so doing, you realize that you’re in big trouble because you’re overwhelmed with audit log data with no summarization or relevance filtering.

In this article I’d like to show you Netwrix Auditor, a flexible visibility and governance platform that makes it much easier to track access in your domain and generate easy-to-understand yet compliance regulation-friendly reports.

Installing Netwrix Auditor:

You can work with Netwrix either on-premises or in the cloud. Here are the options:
  • On-prem installer: The server component runs on Windows Server, and the client component runs on Windows Server or Windows Client
  • Virtual appliance: Preconfigured virtual hard drive that runs on either Hyper-V or VMware
  • Cloud VM: Preconfigured virtual machines that run in the Microsoft Azure, Amazon Web Services (AWS) or CenturyLink public clouds
In my environment I downloaded a free 20-day trial of the on-premises Netwrix Auditor installer. As you can see in the next screen capture, the installer gives you all the managed objects in one go:

Netwrix Splash Screen

Before you install the Netwrix Auditor applications, however, you need to make sure that your Windows Server meets the solution’s system requirements. Although Windows Server 2016 isn’t listed as a supported OS, I had no problems installing and running Netwrix on my Windows Server 2016 domain controller.

Here’s a potential gotcha: You’ll need to have a SQL Server instance (both the database engine and reporting services) available to take full advantage of Netwrix Auditor’s capabilities. You can get away with an Express Edition, by the way.

You’ll also want to make sure to install the .NET Framework 3.5 feature on your server prior to Netwrix installation.

As is the case with most client/server software, the installer allows you to choose between a client/server (full installation) or client tools-only option. You can see the dialog box in question in the next screen shot.

Choosing an installation type

Initial configuration

You administer Netwrix Auditor by starting the Netwrix Auditor Administrator console, as shown in the following screenshot. This is a garden-variety Microsoft Management Console (MMC) application.

The Netwrix Auditor administrative console.

Deploying auditing with Netwrix involves the following steps:
  • Validating your SQL Server database connection (performed in the AuditArchiveTM > Audit Database admin console node)
  • Adding and configuring managed objects (performed in the Managed Objects node)
  • Configuring your audit policies and real-time alerts
The following screenshot shows the Audit Database screen in the Admin console; this is where we plug Netwrix into your SQL Server database instance. The AuditIntelligenceTM hyperlink opens the Netwrix Auditor client, which we’ll discuss momentarily.

Configuring your database connections

You can define audit policies across many, many servers and services. Here’s the list of included audited systems in Netwrix Auditor 8.5:
  • Active Directory
  • Group Policy
  • Azure AD
  • Exchange
  • Exchange Online
  • SharePoint
  • SharePoint Online
  • Windows File Servers
  • NetApp
  • EMC
  • Oracle Database
  • SQL Server
  • Windows Server
  • VMware
In my environment I tested the Active Directory application. Check out the following screenshot, where you’ll see two important items:
  • List of predefined real-time alerts
  • Configuration for the built-in Organizational Unit Deletion alert
All of the alert rules have the same basic options. First, you determine the scope of auditing. For example, do you want to track deletion of only selected OUs, or all of them in your monitored Active Directory domain?

Second, you choose who should be notified when the alert rule is triggered, and how you want the alert delivered. You specify Simple Mail Transfer Protocol (SMTP) server settings under Settings > Email Notifications; you can also have Netwrix Auditor send Short Message Service (SMS) text messages to administrators.

Defining a real time alert

Each managed object also allows you to set data collection schedules, and also set alternative network credentials if they are necessary.

Generating reports

Do you see how this process works? You enable managed objects that match the network services and assets that require auditing, and you configure e-mail or SMS messages for real-time alerts.

But what about generating reports to give to your company’s compliance officers? Well, let’s cover that use case next. Open the Netwrix Auditor client and you’ll see a nice graphical dashboard that looks much like the following screenshot.

The Netwrix Auditor client

The specific report options available in the client depend, of course, on which managed objects you’ve configured for auditing.

If you click Reports from the Netwrix Auditor client home page, you can run any of the predefined reports for managed objects of corresponding IT system as shown next. Note that you should have a license to see all the data available.

Netwrix Auditor predefined reports

The actual report interface should look familiar if you’ve used SQL Server Reporting Services (SSRS). In the following screenshot, look at the toolbar buttons I called out: you can export auditing reports to one of several different formats:
  • CSV
  • Excel
  • PDF
  • Physical printer
  • TIFF
  • Web services data feed (Atom)
  • Word
  • XML
An overview report showing Windows Server changes

One of this product’s biggest selling points, in my humble opinion, is its library of pre-built compliance reports. Take a look at the following screenshot:

Netwrix Auditor has several built in compliance reports

A user can set subscription to any of the reports or dashboards and start receiving these reports via email according to a schedule he sets. Or the reports can go to a specified folder on a network instead of the email.

If you have reporting needs that go beyond the prebuilt report definitions, you can craft your own search and save this search as ‘custom report’ for later use by Interactive Search, as shown below:

You can craft your own audit queries

Change management

Although the ability to produce nice reports for your auditors is nice, how could you use Netwrix Auditor to actually isolate and fix problems?

What’s wonderful about this tool is that you can view before/after snapshots of your managed data. For instance, you can view Group Policy data as it existed before one of your colleagues made some blocking edits to the domain policy.

Going further, you can actually roll back changes without necessarily having to dip into your backup archives. The following screenshot, courtesy of Netwrix, shows (a) an Active Directory object changes report; and (b) dialog boxes from their Active Directory Object Restore wizard.

Netwrix includes unwanted change rollback

User Behavior Analytics

With the last product update Netwrix introduced a new feature to Netwrix Auditor 8.5 that allows admins analyze user behavior and “blind spots.” This new capability enables easy detection of anomalies in user behavior that would otherwise go unnoticed, such as unusual access to sensitive or stale data, unusual spikes in failed activity, activity outside of business hours, activity around harmful files on a corporate data storage and files containing sensitive data, and more.

Unusual spikes in failed activity

Add-on Store

Another interesting feature of Netwrix Auditor 8.5 is the ability to integrate it with the leading SIEMs, including Splunk, IBM Security QRadar, AlienVault USM, Solarwinds Log & Event Manager, Intel Security and LogRhythm. The Netwrix Auditor Add-on Store is provides free add-ons built to integrate Netwrix Auditor with any IT ecosystem. Because of Netwrix Auditor supports the RESTful API the list of available add-ons is expected to grow.

Final points

I’m a big fan of any administrative toolset that helps me to sleep peacefully at night. The fact that Netwrix Auditor saves me from scraping several servers’ worth of log data and Group Policy results is reason alone to justify its purchase. Then there’s the turnkey compliance auditing functionality.

Credit: Timothy Warner

No comments:

Powered by Blogger.