Customers using StealthINTERCEPT often ask the question how to quickly find all the changes made to a user object including all group membership adds and deletes. The Investigation feature can be used to perform this search. Here’s how: first, make sure all policies are selected. Then, under the Other category, click both Class and Attribute. For the changes made directly to a user, for Class enter in User, and under attribute enter in a partial string for the user you want to look for. IE ‘Administrator’. Click Refresh. This will return all changes made to the user object such as lockouts, email address, department, phone etc.
To see any groups where the user was added or removed, simply change the Class setting to Group and hit refresh. Now all the group membership changes will be displayed.
For more information, contact STEALTHbits Support at email@example.com.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.