Extending the value of your QRadar investment with monitoring of AD and file system activity
By utilizing StealthINTERCEPT®, the Windows Event Monitor for QRadar provides the ability to feed concise detail regarding file system access and Active Directory modifications to QRadar in real time. By distilling change and access activities into individual, complete, self-contained access events, this integration efficiently collects and delivers critical activity information for easy consumption and correlation by QRadar. These events are often impractical to collect and make sense of using standard Windows EventLog technology, as they can be extremely disjointed and in some cases incomplete. Additionally, high volume EventLog traffic historically introduces unacceptable overhead to servers that are configured to collect everything. The StealthINTERCEPT (SI) event collection approach brings to bear deep introspection that has been specifically geared for completeness and efficiency for the specific event types that it collects.
By extending monitoring visibility for applications and data for access configuration changes, and file system contents and permissions access, the StealthINTERCEPT® integration provides real savings in terms of identifying and mitigating unauthorized or potentially risky activities in the environment. These savings are realized through expediting awareness (early detection and detailed reporting) of potentially costly issues of inadvertent or malicious changes in access rights (based on groups), global configuration (in the form of GPOs) or access to sensitive data. By identifying and alerting on these situations, appropriate remediation steps can be taken as soon as possible to prevent or mitigate resultant security fallout or interruption of service to critical applications. This information can also be correlated with network access activity data from QRADAR to further pinpoint the source of malicious activities for a more definitive picture of exposures and remediation options.
In addition, this integration facilitates the visualization of Active Directory and file system usage patterns, enabling the formulation of steps to minimize costs that could be incurred when these repositories are moved, migrated, or otherwise caused to become unavailable to critical applications or individuals that rely on them.