Versions Compared

Old Version 3

changes.mady.by.user Yuriy Ostrovskiy (Deactivated)

Saved on

compared with

New Version 4

changes.mady.by.user Yuriy Ostrovskiy (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Two previous reports were based on the data from snapshots. However, ACDI also contains reports based on audit events. Let's check a few of them and go through a real use case.

...

Let's use NetIQ Audit Users report.

...

You can see that time picker is set to go through events during the last seven days. Let’s imagine that yesterday one of your employees, Astrid Strand, lost access to her account.

...

It’s possible to filter by surname, first name to narrow down the search. And here you see that during the last week there were two changes for this user. Let's investigate.

...

Here we can see that on the exact date someone changed the attribute “Login disabled” to “True” and then later the admin was enabled. And the report shows that the modifier of the incorrect event was a user with the CN “Valerius.”

...

You want to investigate further, don’t you? You want to know why and how Valerius got access and authorization to make changes for your users.

...

Let’s go back to the filters and clean up last name filter. Ok, now let’s check all changes for Valerius.

...

So, here you see that previously on that day this user became a member of group “Admins.” This user was enabled and logged into the system. And the reason why this user got admin permissions was due to changes made in the group membership. They were made by a service account that is used by Active Directory to eDirectory driver in the standard Active Directory driver.

...

Let’s dive deeper and check all other changes for the “Admins” group because it seems to be a breach in security.

...

For this you can use the NetIQ Audit Groups where you enter “Admins” in the “Object Name” filter.

...

Here you want to get the information about all the changes in admins during the last seven days. Let's run the report.

...

Now you see that, fortunately, this was the only change during the week.

...

This was a short overview and guide of how ACDI reports can help you investigate real cases in your environments. Thank you for your attention and take care.

Should you have any questions or require any assistance, please do not hesitate to contact us at any time swsupport.skypro@skypro.ch