HP ArcSight - Default Content - All Resources - IdentityView v2.5_1
- Pavan Raja
- Apr 8, 2025
- 21 min read
Summary:
The document outlines various reports and rules within the IdentityView 2.5 system designed to monitor suspicious activities and user behavior for security purposes. It covers a wide range of scenarios including information leakage, network anomalies, physical access issues, policy violations, role violations, and more. Some examples include detecting excessive printing after hours, unauthorized use of company information systems, and accessing hacker tool websites. The document also mentions specific rules related to privileged users' actions, such as adding or removing actors from the badged in list, and monitoring proxy activity. These rules are designed to help identify potential security breaches, protect sensitive data, and ensure compliance with corporate policies.
Key highlights of the report include:
1. **Reports**: - **Failed Server Logins**: Provides detailed analytics on failed logins by department, employee type, and role. It also includes hourly login averages for users vs. roles and successful application and server logins for these categories. - **Stale Accounts**: Offers an overall report on stale accounts, which are user accounts that have not been actively used or logged into for a specified period. - **User Investigation**: Includes detailed activity logs for specific actors, covering all activities as well as printing activities.
2. **Rules**: - **Actor Attribution by IP Address**: Rules related to actor attribution based on login locations (Windows machines, non-Windows single-user machines, Windows servers, non-Windows servers). - **Actor Management**: Updates and deletions of actors due to interactive sessions, changes in threat scores, addition/removal from new hire lists. - **Actor Threat Score**: Adjustments based on the score's level (malicious or reduced), addition to or increase in the threat list. - **BookKeeping**: New actor additions and authenticators population. - **Privileged User Monitoring**: Management of privileged groups, including additions and removals. - **Shared Accounts**: Detection of shared accounts and record keeping of account IDs in use. - **Suspicious Activity**: Rules covering various suspicious activities such as brute force login attempts, lockouts, disabled actor activity, local admin creation, and risky user behaviors after hours.
These reports and rules are crucial for monitoring user identities, detecting potential security threats, and ensuring compliance with organizational policies. The document is marked as HP Confidential and subject to use restrictions, indicating that access should be limited to authorized personnel only for maintaining confidentiality and integrity of the information contained within.
Details:
The document "ESM & Express IdentityView Resource Name" provides a detailed list of features and events related to identity management within the software, focusing on user activity monitoring, actor attribution by IP address, threat score changes, and more. Key areas covered include:
1. **Actor Management**: Events such as actor role changes and suspicious activities are tracked, including logins to known shared accounts and information leakage events.
2. **User Activity Monitoring**: This includes various aspects like authorization changes (user group membership changed or privileges added/revoked), physical access system events, database activity, email traffic, printing activity, proxy traffic, and detailed monitoring by user attributes such as employment status (contractor, DBA, full-time employee, part-time employee).
3. **Suspicious Activity**: This encompasses various types of suspicious activities including role violations, web accesses associated with hacker tools or job hunting sites, and network-based anomaly detection in traffic analysis events.
4. **Core/All IdentityView Rule Firings**: Events where rules related to identity management are triggered across the system.
5. **User Investigation**: Involves all events from specified actors during investigations.
6. **Active List IdentityView**: Contains exclusions for IP-based actor attribution and rogue account IDs, as well as privileged user monitoring with roles added to privileged groups or increased threat scores.
7. **Shared Accounts**: Details logins to known shared accounts and detected shared accounts.
8. **Login Events**: Track all login events involving actors.
9. **Events with Actor**: Involves various types of events linked to specific actors, including IP-based attribution and detailed investigations.
10. **Physical Access System Events**: Records activities related to physical access systems within the organization.
11. **Email Traffic**: Monitors email communications for suspicious or unusual activity.
12. **Proxy Traffic**: Tracks traffic through proxy servers that may indicate suspicious or malicious activity.
13. **Database Activity**: Logs database interactions, which can be indicative of potential security breaches or data manipulation activities.
14. **Printing Activity**: Monitors and records printing activities to detect potentially unauthorized use of company resources.
15. **Physical Access System Events**: Records events related to physical access systems that may indicate suspicious activity within the organization.
This document is part of a series designed to enhance security measures by providing detailed logs and reports on user activities, enabling better tracking and management of system users and their interactions.
The document outlines various components and features of the "Active List IdentityView 2.5" software, designed for monitoring and managing user identities, activities, and potential threats within an organization's network. Key sections include:
1. **User Activity Monitoring**: This section covers daily active accounts, my DNS domains, pending stale accounts, and physical access records such as badged in actors.
2. **Suspicious Activity**: This includes monitoring for competition domains, countries of concern, default vendor accounts, disgruntled actors, new hire actors, notice-given actors, public webmail usage, and role violations which could indicate suspicious activities or potential threats to the organization's security.
3. **Shared Accounts**: Known shared accounts are listed here, potentially indicating unauthorized sharing of sensitive information among users.
4. **Destinations**: This section lists various websites categorized under "Anonymous Proxies" (such as anonybrowser.com, anonymizer.com, and proxify.com) and "Hacker Sites" (including 2600.com, astalavista.com, and hackerhighschool.org), which may indicate unauthorized or suspicious online activities.
5. **Career Sites**: Lists various career websites where job seekers can find employment opportunities, including popular platforms like LinkedIn, Indeed, and Monster.
6. **Actor Management**: This includes monitoring changes in actors (users) within the system, their roles, and potential rogue account IDs which could indicate compromised or unauthorized access.
7. **Actor Threat Score**: This section evaluates the threat level of actors based on activities such as malicious, suspicious, top threat score contributors, and watch levels.
8. **Privileged User Monitoring**: Covers actions by privileged users that have failed, along with a summary of these users' activities.
The document also includes references to other sections marked as "HP Confidential—subject to use restriction," indicating that certain information is sensitive and should be handled accordingly. Overall, the document provides an overview of how IdentityView 2.5 can be used to manage and monitor user identities and potential threats in a corporate environment.
The document, "Dashboard IdentityView 2.5," provides a comprehensive overview of various aspects related to user monitoring and security within an organization's digital environment. Key areas covered include:
1. **Shared Accounts**: This section identifies shared accounts that have been detected or used on multiple occasions, indicating potential issues such as unauthorized access or compromised credentials.
2. **Suspicious Activity**: The document highlights concerns related to suspicious activities including email errors, network-based anomaly detection, role violations, and information leakage which includes classification level violations, competitive communications, data type disclosures, leaked files, and more.
3. **User Activity Monitoring**: This involves tracking login events, authorization changes, application usage (such as database activity, email communication, printing, web traffic), and physical access (badged actors). The document provides detailed graphs and statistics to monitor user behavior effectively.
4. **Actor Management**: It covers the monitoring of actor account IDs, attribute updates, audit events, role additions/deletions, and threats based on malicious or suspicious levels. These features help in managing users' access rights and identifying potential security threats.
5. **Data Monitor IdentityView 2.5**: Further details specific to user management, including the addition or deletion of account IDs, attribute updates, audit events, role additions/deletions, and breakdowns related to actors.
The document is designed to assist in maintaining a secure digital environment by providing real-time insights into user behavior, potential threats, and shared accounts that might be exploited for unauthorized access. It serves as a crucial tool for organizations aiming to protect their sensitive information from breaches or leaks due to compromised credentials and other security vulnerabilities.
The Data Monitor IdentityView 2.5 report provides detailed insights into various aspects of an organization's cybersecurity posture, focusing on potential threats and suspicious activities. Key features include:
1. **Actor Threat Score**: This includes moving averages for threat scores, categorizing actors into malicious (top), suspicious (top), and watch levels based on their activity. It also covers actor activity monitoring.
2. **Privileged User Monitoring**: Tracks the addition and removal of privileged users within a short period, monitors failed actions by device and username, and logs unsuccessful logins. It also provides statistics on top devices, hosts, network domains, privileged users with failed actions, and those with unsuccessful logins.
3. **Shared Accounts**: Monitors failed login attempts to known shared accounts across various applications.
4. **Suspicious Activity**: Covers concerns related to country traffic, last company/nation state concerns, email-related suspicious activities (failed recipients/senders, rejected senders, and targeted job addresses), general security issues (top actors/departments/job titles with suspicious activity), information leakage (data classification levels, competitive inbound/outbound emails, personal data leaks, leaked files by user, company information leaks).
The report is designed to help organizations identify potential threats, monitor privileged users, and detect unauthorized access attempts or data leakage.
The document, named "Data Monitor IdentityView 2.5," is a comprehensive report designed to monitor and analyze various aspects of user activity within an organization, with a focus on identifying potential suspicious activities that may lead to information leakage or security breaches. This tool provides detailed insights into the following areas:
1. **Information Leakage**: The report tracks data leaks by addressing specific IP addresses as well as users, highlighting personal information such as addresses and user identities. It also categorizes these leaks according to destination addresses and users.
2. **Network-Based Anomaly Detection**: This section includes monitoring for anomalous traffic patterns, detection of new hosts or services on the network, scans that may indicate unauthorized attempts to access the system, and other suspicious activities.
3. **Role Violations**: It monitors role violations by department or employee type, providing a visual representation through event graphs.
4. **Suspicious Activity Rule Firings**: This section identifies rules triggered by potentially suspicious activities in user interactions.
5. **User Activity Monitoring**: Covers various aspects of user activity such as:
Authorization changes including group membership changes and privilege additions/revocations.
Database access patterns, including both overall database usage and specific table accesses.
Email communication, tracking inbound and outbound emails along with top senders and recipients.
Web browsing activities, including the most accessed web pages and sources that are blocked.
Printing activities, focusing on users who print after-hours or those with frequent printing sessions.
Application logins by department and employee type for both applications and servers.
6. **Actor Management**: This part of the report addresses rogue account IDs to manage attributed actors based on IP address information.
The document is classified as "HP Confidential," indicating that access to this data should be restricted, presumably due to its sensitivity and potential impact on organizational security. Overall, Data Monitor IdentityView 2.5 serves as a robust tool for enterprise-level organizations looking to enhance their cybersecurity posture by proactively monitoring user activities and identifying anomalies indicative of potential threats.
This document outlines various field sets and filters related to actor management, attribution by IP address, audit events, role additions/deletions, threat score increases, and other suspicious activities within a system or network. The fields include details such as actor roles, account logins, physical access, email usage, database activities, web interactions, and more. Filters are provided for specific attributes to help identify and manage actors based on their activity patterns and associated accounts. The information is sensitive and confidential, with restrictions on use beyond the stated context.
The provided text lists various filters and categories within the "IdentityView 2.5" system, which appears to be a platform for managing and analyzing identity-related data, particularly in cybersecurity contexts such as user management, threat detection, and auditing. Here is a summary of these filters and their purposes:
1. **Actor Management**: Filters related to users and events involving them, including those with or without an actor (user), whether they are affiliated with a rogue account ID, involve specific usernames, have no actor, include Windows exceptions for target users, and more.
2. **Threat Score**: Deals with assessing the threat level of actors based on their activity, including changes in threat scores, malicious or suspicious levels of activity, contributors to the threat score list, and increments in the threat score itself.
3. **Core Filters**: General filters that include events from various sources such as audit events, ArcSight events, internal events, Unix, Windows, and username-related events. These are crucial for assembling comprehensive data sets across different environments.
4. **My Filters**: Customizable filters set by the user, including specific attributes like employee type, role, status (active or deleted), document types (confidential or suspicious), and more. These help in quickly accessing tailored views of user activity based on predefined criteria.
5. **Privileged User Monitoring**: This section includes events related to adding actors, which could be used for monitoring changes in the privileged access roles within the organization.
Each filter is designed to provide specific insights into different aspects of user and system interactions, aiding in cybersecurity operations such as identifying potential threats from rogue accounts or assessing the risk associated with certain users. These filters are essential tools for organizations aiming to maintain a secure and compliant IT environment by monitoring and managing privileged access effectively.
The text provides a list of various filters and events monitored under the "Privileged User Monitoring" and "Shared Accounts" sections within HP Confidential, subject to use restrictions. Key highlights include:
1. **Privileged User Monitoring**: Events such as Actor added/removed from privileged group, failed login attempts, Windows event logs for adding or removing members from a privileged group, and more are monitored. Additionally, there's a focus on suspicious activities including logins by at-risk users, disgruntled actors, new hire actors, and those with a threat score greater than 0.
2. **Shared Accounts**: This includes monitoring of all login events to known shared accounts, failed attempts to known shared accounts, and logs recording account usage for non-IDS devices. It also involves detecting shared accounts through pattern discovery.
3. **Suspicious Activity**: Various sub-categories are listed here including concern traffic across countries, email communications with public webmail servers or job addresses, audit log clearing, information leakage between classification levels, and more.
4. **Windows Events**: Specific to Windows operating systems, these include account lockouts, privileged group membership changes, and other related activities.
These filters are part of a broader security monitoring strategy designed to detect potential threats, risky behaviors, and suspicious activities that could compromise the integrity or security of digital assets, especially regarding user privileges and shared accounts.
The text provided outlines a series of filters and categories used in software for monitoring suspicious activities, including information leakage, network-based anomaly detection, user activity monitoring, and more. These filters help identify specific types of suspicious behaviors such as unauthorized access attempts, data breaches, role violations, and unusual patterns in user behavior. By categorizing these events, the system allows users to quickly locate and investigate potential security incidents, ensuring compliance with privacy policies and regulations.
The text provides a comprehensive list of user activity monitoring categories as seen in the software "IdentityView 2.5." It covers various aspects such as database access, email traffic, printing activities, web page access, and login events across different platforms (Windows, Unix) and scenarios including successful and failed logins, among others. The data is further categorized by application type to provide detailed tracking of user interactions within specific software tools or systems.
The document outlines various configurations, commands, and profiles within the IdentityView 2.5 system for user activity monitoring and management. Key components include:
1. **User Activity Monitoring**: This includes specific filters for Windows authentication tickets (both 2003 and 2008), events with non-machine users, expired accounts from active and pending lists, and all events related to an actor.
2. **External User Lookup**: Commands are provided for looking up users by full name or username, including specific integrations with Google and external services like Active Directory, email addresses, and more.
3. **Event Search and Logging**: Various commands allow searching for events associated with actors near the event occurrence or over the past day, which can be useful for investigations.
4. **Actor Management**: Profiles related to managing actor attributes, roles (additions and deletions), and threat score rule firings are outlined.
5. **Privileged User Monitoring**: Includes monitoring of privileged role additions, deletions, and user activity, both in general and specifically by title.
6. **Shared Accounts**: Activities across shared accounts are monitored, with a specific detector for shared account usage.
7. **Suspicious Activity**: Profiles related to identifying suspicious activities, including rule firings that contribute to threat scores.
8. **User Activity Tracking**: This includes logins (successful and failed), URL access, time-based URL access patterns, and user activity logs that differ in attacker and target usernames or hosts.
9. **Integration Configuration and Targets**: The document specifies various integrations between IdentityView 2.5 and other systems for logging, TRM (Threat Response Module) operations, and external user lookups.
10. **Profile Settings**: These include actor attribution by IP address, server login activity by actors or their titles/departments, attribute modifications, role additions/deletions, and threat score rule firings.
The document is marked as HP Confidential and subject to specific use restrictions, indicating that the information may be sensitive and should only be accessed by authorized personnel.
The provided queries from "IdentityView 2.5" focus on various aspects of actor management and attribution based on IP addresses, including associations, logins, roles, and threat scores. They cover detailed analyses such as:
**Actor Attribution by IP Address**: This includes multiple sub-queries focusing on different combinations of actors and IP addresses (e.g., all events for actors associated by source or target IP only).
**IP Associations for Actor**: Details the network interactions linked to specific actors.
**Server Logins**: Analyzes login activities grouped by various criteria like country/region, department, roles, and more.
**Actor Management**: Provides insights into rogue account IDs, detailed activity for account IDs, role assignments, and actor statuses.
**Threat Score**: Evaluates the risk associated with actors based on their actions or attributes, providing a score to assess potential threats.
These queries help in understanding the digital identities, activities, roles, and security risks associated with various actors within an organization's IT infrastructure.
This document contains a list of queries related to various aspects of user identity and security monitoring, including threat scores, privileged user activities, shared account usage, and login details. These queries pertain to tracking actors on the threat score list, rule firings for threats, trend analysis in threat contributions, detailed actor information, top contributors, and suspicious activity related to privileged users and logins. The data is sensitive and should be handled with appropriate confidentiality measures as noted by the "HP Confidential" disclaimer at the end of each query title.
The provided text lists a series of queries in the "IdentityView 2.5" system, focusing on various aspects related to shared accounts and suspicious activities. These include:
**Shared Accounts**:
Top Applications with Known Shared Account Logins
Top Departments Using Known Shared Accounts (Actor by IP and Name)
Top Detected Shared Accounts
Top Job Titles Using Detected/Known Shared Accounts (Actor by IP and Name)
Top Roles Using Detected/Known Shared Accounts (Actor by IP and Name)
Top Source Addresses with Known Shared Account Logins
Top Target Addresses with Known Shared Account Logins
**Suspicious Activity**:
All Suspicious Activity, including for specific departments, employee types, roles, and privileged actors.
At Risk Users: Suspicious activity by disgruntled users, new hires, notice-given actors, and high threat score actors.
Database: Accesses, deletions, updates from disabled actors, audit options table delete, authentication review, failed authentication review, grant role DBA, privilege grants, user creation, and table access review.
Email: Rejected senders of emails, resumes emailed.
Information Leakage: Confidential document to competition, files emailed, specific document printed/transferred, traffic to competition.
The queries are categorized under the general heading "IdentityView 2.5/Suspicious Activity" and include detailed analysis for shared accounts and various types of suspicious activities identified within an organization's network or systems.
The provided text outlines various queries available in "IdentityView 2.5" for monitoring suspicious activities, user activity, and other security-related aspects of an organization's digital environment. These include:
1. **Leakage/Traffic to Countries of Concern**: This query is used to detect unauthorized data transfer or traffic to specific countries that might be deemed a concern for cybersecurity reasons.
2. **Suspicious Activity Rule Firings**: This involves monitoring rules triggered by suspicious activities such as failed login attempts, role violations (e.g., granting privileges without proper roles), and other anomalies detected by the system.
3. **User Activity Monitoring**: This includes:
**Authorization Changes**: Tracking changes in user permissions like group membership or added/revoked privileges.
**By Application**: Specifically for email communications, tracking senders and receivers, with options to view top users based on amount or size of emails exchanged.
**Physical Access Events**: Monitoring unauthorized access events such as after-hours building accesses or details about individuals who have "badged in".
4. **Printing Activity**: This involves monitoring activities like printing documents outside normal business hours and suspicious document prints, which could indicate potential security risks or data leakage.
5. **Role Violations**: Detailed reporting on violations such as granting unauthorized privileges (across various platforms including Oracle databases and Windows environments), with breakdowns by department, employee type, target asset role, and summary reports for each of these categories.
6. **Top Actors/Departments/Job Titles with Suspicious Activity Rule Firings**: Identifying the most active or involved parties in suspicious activities based on rule firings.
This list is not exhaustive but provides a snapshot of how IdentityView 2.5 can be used to monitor and report potential security threats, unauthorized access attempts, and other anomalous behaviors that could compromise an organization's data integrity and confidentiality.
The document provides a list of queries related to user activity monitoring across various applications and platforms within the organization, as indicated by "IdentityView 2.5/User Activity Monitoring". These queries cover different aspects such as physical access events (e.g., building egress events), web browsing activities (including websites accessed and bandwidth usage), printing volumes, and detailed tracking of user activity based on application types like physical access systems and web interactions. The data is retrieved to provide insights into user behavior and system utilization within the organization's IT infrastructure, with a note of confidentiality indicated by "HP Confidential—subject to use restriction".
The document outlines a series of queries related to user activity monitoring in the IdentityView 2.5 system, focusing on various aspects such as application and server access, login events, failed logins, successful logins, and more, all broken down by department, employee type, and role. Additionally, there are queries for investigating specific actors' activities, including detailed views of their actions, printing activity, and attribution by IP address. This data is intended to provide insights into user behavior and performance within the organization, with a particular focus on security and compliance aspects.
The provided query options are part of a system called Query Viewer IdentityView 2.5, which is used to manage and monitor actors (users or devices) in an IT environment. This tool helps identify associations between IP addresses, actor identities, roles, applications, and other relevant information for security purposes. Here's a summary of the queries:
1. **Actor Attribution by IP Address**:
All Events for Actors Associated by Source IP Only
All Events for Actors Associated by Target IP Only
Current IP to Actor Associations
Source and Destination Subnets for Actor Logins
2. **Actor Management**:
Actor Base Attributes
Actor Status Overview
Count of Roles by Memberships
Count of Roles by Type
Department Overview
Leaf Node Organizational Units
Number of Account IDs
Number of Role Assignments
Role Names
Roles by Actor
Top 20 Actors with Roles
Top 20 Roles
Top Applications with Activity from Rogue Account IDs
Top Attacker Addresses with Activity from Rogue Account IDs
Top Rogue Account IDs in Use
Top Target Addresses with Activity from Rogue Account IDs
Total Number of Actors
3. **Actor Threat Score**:
Actor Threat Score by Department
New Actors on Threat Score List
Recent Activity by Actors on the Threat Score List
Rule Firings for Actors on Threat Score List
Threat Score Rule Firings for Actors on the Threat Score List
Threat Score with Actor Details
Top Actors on Threat Score List
Top Threat Score Contributors by Number of Actors
Top Threat Score Contributors by Number of Rule Firings
Top Threat Score Contributors by Threat Score Contribution
4. **Privileged User Monitoring**:
Actors with Privileged Roles
Non-Admins with Privileged Roles
Privileged User Activity
Suspicious Activity by Privileged Users
Threat Score Rule Firings for Non-Privileged Users
Threat Score Rule Firings for Privileged Users
5. **Shared Accounts**:
Actors Logged in from Two Countries
Recent Logins to Known Shared Accounts
Top Actors Using Detected Shared Accounts
Top Actors by IP Using Known Shared Accounts
Top Actors by Name Using Known Shared Accounts
Top Applications with Detected Shared Accounts
Top Applications with Known Shared Account Logins
These queries help in monitoring, auditing, and securing the IT infrastructure by providing detailed information about user activities, roles, and potential security threats.
The provided text outlines various queries and reports available in the "IdentityView 2.5" software, which is designed to monitor user activity and detect shared accounts, suspicious activities, and more. Here's a summarized breakdown of the main sections and their functionalities:
1. **Shared Accounts**:
**Top Detected Shared Accounts** and **Top Known Shared Accounts in Use**: Lists high-risk shared accounts identified by IP address or other details.
**Top Source Addresses with Known Shared Account Logins** and **Top Target Addresses with Known Shared Account Logins**: Show the locations from which these shared logins are being accessed.
2. **Suspicious Activity**:
**Suspicious Activity Rule Firings**: Lists all detected rule violations associated with suspicious activities.
**Top Actors with Suspicious Activity Rule Firings**, **Top Departments with Suspicious Activity Rule Firings**, and **Top Job Titles with Suspicious Activity Rule Firings**: Identifies individuals, departments, or roles involved in suspicious activities.
**Top Suspicious Activity Rules**: Lists the specific rules triggered as part of the suspicious activity monitoring.
3. **User Activity Monitoring**:
**All Activity for Known Actors**: Provides a comprehensive view of user actions by known actors across various applications and devices.
**By Application/Physical** (badging details): Details on physical access using badges, including top actors and locations.
**By Application/Web** (websites accessed): Tracks website usage, including bandwidth usage and uncommon websites visited.
**Stale Accounts**: Monitors inactive accounts, including daily active accounts and pending stale accounts.
4. **Actor Attribution by IP Address**:
Provides detailed reports on which actors are associated with specific workstation or server IPs, including logins by actors with common or unique roles, country/region, department, and source zone.
5. **Actor Management**:
**Actor Information Detail**: Detailed view of individual actor accounts.
**Actor Role Changes**, **Actors Added**, and **Actors Status Disabled**: Track changes in roles, additions to the system, and disabling of actors' statuses.
These features help users in an organization to monitor user activities more effectively, detect potential security threats such as shared credentials or suspicious behavior, and manage user accounts efficiently.
The reports under the "Actor Management" and "Actor Threat Score" sections of Report IdentityView 2.5 provide detailed information about various aspects of user roles, activities, and threats within an organization's network. These include:
1. **Detailed Activity for Account ID**: Shows activity related to specific accounts.
2. **Rogue Account IDs - Activity**: Details on the activities of rogue or unauthorized accounts.
3. **Rogue Account IDs - List**: Lists rogue account identifiers.
4. **Role Attestation for Actors with Specified Role**: Verifies that actors have the correct roles assigned.
5. **Role Attestation for All Actors**: Ensures all actors are correctly attributed to roles.
6. **Role Attestation for Department**: Confirms role assignments per department.
7. **Roles by Number of Assignees**: Lists roles based on how many employees are assigned to them.
8. **Top Rogue Account IDs in Use**: Identifies the most commonly used rogue accounts.
9. **Activity by Actors on Threat Score List**: Tracks activity related to actors listed on a threat score list.
10. **Actor Threat Score Changes Over Time**: Monitors changes in actor threat scores over time.
11. **Actor Threat Score by Country or Region, Department, and Title**: Analyzes how threat scores vary geographically, departmentally, and by job title.
12. **Department Threat Score Over Time**: Shows the evolution of threat scores within departments.
13. **Rule Firings for Actors on Threat Score List**: Details instances where rules were triggered against actors on a threat score list.
14. **Top Actors on Threat Score List**: Lists the most significant contributors to high threat scores.
15. **Activity Summary for Privileged Actors**: Summarizes activities of privileged users.
16. **Actor Added and Removed from a Privileged Group in a Short Time**: Records when actors are added or removed from privileged groups.
17. **Detected Shared Accounts**: Identifies shared accounts detected within the network.
18. **Logins to Detected Shared Accounts, Known Shared Accounts - Details and Summary**: Tracks logins related to detected and known shared accounts.
19. **Top Departments/Job Titles/Roles Using Shared Accounts**: Lists departments, job titles, and roles most associated with using shared accounts.
20. **Activity from Disabled Actors**: Shows activity involving disabled actors that could indicate suspicious behavior.
21. **All Suspicious Activity for Department, Employee Type, and Role**: Summarizes suspicious activities categorized by department, employee type, and role.
22. **Suspicious Activity by Privileged Actors and Threat Score**: Analyzes suspicious activity specifically involving privileged actors and those with high threat scores.
These reports collectively help in maintaining the security and integrity of an organization's network by identifying potential unauthorized access, shared accounts misuse, rogue actors, and other signs of compromised security practices.
This document appears to be a report titled "IdentityView" version 2.5, which focuses on various suspicious activities and user behavior that may indicate potential risks or security issues within an organization. The report is marked as confidential and subject to specific use restrictions, possibly due to its sensitive nature related to internal corporate information and data access monitoring.
The report categorizes the suspicious activities into several sections including:
Actor-specific suspicious activity reports (such as "Suspicious Disgruntled User Activity," "Suspicious New Hire Activity," etc.)
Database access incidents, including after hours usage or unauthorized deletions/updates in audit tables.
Email communication patterns that might indicate data leakage or inappropriate sharing with competitors.
Physical security breaches such as failed access events at building levels.
Role violations and improper privilege granting, which could signal misuse of authority within the organization.
User activity monitoring including changes to authorization settings and all related IdentityView cases for known actors.
Each section aims to provide detailed analysis and tracking of unusual or suspicious activities that may require further investigation or security measures to protect organizational assets and data integrity. This report is likely used by cybersecurity teams, management, and auditors within an organization to ensure compliance with corporate policies on information access and usage, as well as for risk assessment and mitigation strategies related to internal threats and potential breaches of confidentiality.
The "Report IdentityView 2.5/User Activity Monitoring" provides a comprehensive overview of user activities across various applications and platforms, including email communications, web browsing, physical access controls, printing activities, and more. Key reports include detailed analytics on top senders and receivers in emails (in terms of both amount and size), largest emails, blocked actors by account ID or IP, accessed websites, and proxy users. Additionally, the report covers failed application logins categorized by department, employee type, and role, as well as physical access system events over different time frames. This data is crucial for understanding user behavior, security measures, and compliance within an organization.
The provided document outlines a series of reports and rules within the IdentityView 2.5 system, focusing on user activity monitoring, login events, stale accounts, user investigation, actor management, privileged user monitoring, shared accounts, suspicious activity, and more. Key components include:
1. **Reports**:
**Failed Server Logins**: For departments, employee types, roles; hourly login averages for users vs. roles; successful application and server logins for departments, employee types, and roles.
**Stale Accounts**: Overall stale accounts report.
**User Investigation**: Detailed activity logs for specific actors, including all activities and printing activities.
2. **Rules**:
**Actor Attribution by IP Address**: Rules related to actor attribution based on login locations (Windows machines, non-Windows single-user machines, Windows servers, non-Windows servers).
**Actor Management**: Updates and deletions of actors due to interactive sessions, changes in threat scores, addition/removal from new hire lists.
**Actor Threat Score**: Adjustments based on the score's level (malicious or reduced), addition to or increase in the threat list.
**BookKeeping**: New actor additions and authenticators population.
**Privileged User Monitoring**: Management of privileged groups, including additions and removals.
**Shared Accounts**: Detection of shared accounts and record keeping of account IDs in use.
**Suspicious Activity**: Rules covering various suspicious activities such as brute force login attempts, lockouts, disabled actor activity, local admin creation, and risky user behaviors after hours.
These reports and rules are designed to help in monitoring and managing user identities, detecting potential security threats, and ensuring compliance with organizational policies.
The document outlines various rules and templates under the "IdentityView 2.5" category, which is focused on monitoring suspicious activities and user behavior for security purposes. It covers a wide range of scenarios including information leakage, network anomalies, physical access issues, policy violations, role violations, and more. Some examples include detecting excessive printing after hours, unauthorized use of company information systems, and accessing hacker tool websites. The document also mentions specific rules related to privileged users' actions, such as adding or removing actors from the badged in list, and monitoring proxy activity. These rules are designed to help identify potential security breaches, protect sensitive data, and ensure compliance with corporate policies. The document is marked as HP Confidential and subject to use restrictions, indicating that access should be limited to authorized personnel only for maintaining confidentiality and integrity of the information contained within.
The provided text does not contain any content or structure that would allow for a meaningful summary. Please provide the specific information or context you would like summarized, and I will be happy to assist you in creating an accurate and clear summary.
Comments