The Security [3] Critical Changes & Activity Dashboard
The Critical Changes & Activity dashboard utilized a variety of EventSentry features to identify & review changes made to the network infrastructure and Active Directory. The ADMonitor-based tiles (indicated with [ADMonitor] in title) can be removed if ADMonitor is not activated. This dashboard offers the following benefits:
- Identify malware or suspicious software that registers scheduled tasks and/or services
- Identify newly installed software
- Identify newly connected network devices
- Review important AD changes
- Identify newly added system files
- Review failed logons
Reports
The majority of tiles utilize reports from the Security [3] Critical Changes & Activity category, which can be found under Reports ->My Reports. These reports can be adjusted if there are valid reasons that the recommended settings would not work.
The reports can also be scheduled with jobs, for example to get an email about all ARP or Active Directory activity.
Prerequisites
This dashboard requires that the following EventSentry features are enabled (most are by default):
- System Health: Scheduled Task Monitoring
- System Health: Software Monitoring
- System Health: Service Monitoring
- System Health: File Integrity Monitoring
- Network Service: ARP Activity
- Security & Compliance: Logon/Logoff
- Security & Compliance: Account Management
- Security & Compliance: Policy Changes
- ADMonitor
False Positives
Some false positives are expected on this dashboard, especially on the "Scheduled Tasks Added", "Software Installed" & "Files Added" tiles. To exclude noise and expected changes, simply run the report (blue arrow symbol) that is associated with the tile, edit the report, save the report and return on the dashboard.
