PROTIP: Policy Registration & Managing StealthINTERCEPT via PowerShell and Editing StealthDEFEND Investigations & Categorizing Playbooks

PROTIP: Policy Registration & Managing StealthINTERCEPT via PowerShell and Editing StealthDEFEND Investigations & Categorizing Playbooks

There are actually four (4) ProTips in this blog (Click below to go to one you want):

Multiple Policy Registration in StealthINTERCEPT

The capability has long existed in StealthINTERCEPT to have a single policy with multiple event registrations.  There are particular situations when you need to audit certain activity but desire to filter on a couple of very specific conditions, however you don’t want to filter all other activity.  Let me share a use case:

Because new StealthINTERCEPT version 7.1 introduces some improved filtering, it seemed appropriate to use an LDAP example: You have identified LDAP activity you desire to audit however you have a single account that generates an excessively high volume of traffic from a single system/host that is expected but would be considered noise. 

Problem

If you filter the system, you don’t see activity from other accounts on that system.

         BUT…

If you filter that account, you don’t see other activity for that account on other systems.

Policy 1

Exclude all Activity the noisy account

Policy 2

Include all activity the noisy account but

Exclude all activity from the host where this account generates the most noise

End result is you get all activity for desired users and only activity from the noisy accounts on hosts other than that host it generates excessive activity from.


Managing StealthINTERCEPT via PowerShell

This latest release, StealthINTERCEPT version 7.1, has extended many more capabilities from the StealthINTERCEPT console to PowerShell. You can now manage/import policies and collections, check agent status, and more from PowerShell.  The StealthINTERCEPT Administrative guide provides detailed documentation for the PowerShell cmdlets. For more detailed information please reference the product help Appendix: PowerShell API integration. To enable the PowerShell Modules type:

Import-module "C:\Program Files\STEALTHbits\StealthINTERCEPT\SIEnterpriseManager\SI.SIMonitor.PowerShell.dll"

To see a list of available SI PowerShell cmdlets type:

Get-Command -Module SI.SIMonitor.Powershell

The Appendix also documents all files required to perform remote management.


Editing StealthDEFEND Investigations the Lazy Way

Often we build investigations in StealthDEFEND to look for general activity. However from time to time you need a similar investigation but focused on a single user or group of users.  While you could build a new one from scratch that is wasted time.  You could also modify your existing investigation but then you need to remember to change it back later.  It is more useful to edit an existing investigation, make your edits, and then click ‘save as’.

Now you have the best of both worlds. Investigations at both general and specific levels with ease.


Categorize StealthDEFEND Playbooks to Reduce Clutter

Response playbooks are extremely valuable but when manually kicking off a response it can get cluttered. One way to make things more streamlined is to categorize your threat responses to the one or more threats they correspond to. All threat responses are not applicable to all threats. The result is faster threat responses and easier time determining which responses align with which threats.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other