Utilizing StealthAUDIT Reporting
This month I’d like to touch on a fairly unknown usability feature within StealthAUDIT. The Reports Only mode allows the console to be run without risk of triggering any collections or affecting any already existing data sets.
There is an underused (but very useful) command line switch that allows you to run StealthAUDIT so that it can only generate reports. When run in Reports Only mode the Query, Analysis, and Action functions will be disabled.
From the command line, first we need to change the working directory, targeting the StealthAUDIT install directory as represented by an Environmental Variable (i.e., %sainstalldir%) configured during installation. Enter “cd %sainstalldir%” into a command window like so:
Once working within the proper directory, StealthAUDIT.EXE should be run with the “/reportsonly” switch:
If done properly the console will open and the Title Bar will now show (/ReportsOnly) as seen here:
Now you can safely run reports without in any way impacting your existing data. I use this frequently to rebuild my Report Index or work on reporting for specific projects.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.