How to trigger an automated action with LepideAuditor

Are you the one responsible for securing your IT infrastructure? If you are, then you know better than anyone that ignoring critical changes in your network could cost your organization millions!

Alert mechanisms for all security significant changes help admins to stay aware of all activities taking place that could negatively affect the network environment. It enables your IT team to perform automated actions to counter critical modifications. The real-time alerts generated by LepideAuditor are an example of this kind of functionality.

With LepideAuditor integrated with your Windows Server, addressing modifications of any kind will be a lot easier. Alerts can be generated based on a single event, pre-defined criteria (such as time and date) or threshold based criteria. Let’s explore this in a bit more detail.

Alerts in LepideAuditor

Using our solution you can select the events for which you want to explicitly create alerts, instead of being notified of every change. The admins, or selected recipients, can view or receive these alerts as email notifications, LiveFeed updates and as push-notifications on our mobile-based application.

Executing a Script with LepideAuditor

Whenever a selected change is detected, LepideAuditor allows you to execute any customized scripts from the following types:

  • VB Script
  • PowerShell Script
  • Batch File

1. Create an Alert Profile Account

2. Create Alert and select the script

Step 1: Create an Alert Profile Account in LepideAuditor

If you want to execute a script with the credentials of a specific user, you have to create an Alert Profile Account in LepideAuditor. The script can also be executed with “System” default account, depending on whether it has sufficient rights to execute and perform the actions detailed in it. The following steps will enable you to create an “Alert Profile Account”:

1. Go to “Settings” tab → “Message Delivery Settings”.

2. Click “Add” icon in the right pane.

3. Select “Add Alert Profile” from the options to access “Add New Profile” window.

Figure : Enter details in “Add Account” window

4. Enter the following details:

  • Account Name: Login credentials will be saved with this name.
  • User Name: This is the name of a domain user, which will be in the given format: Domain\Username.
  • Password: This is the password of the user.

NOTE: We recommend that the user provided here must hold sufficient rights to run the script. The action mentioned in the script won’t be displayed otherwise.

5. To add an alert profile, click “Ok”. After validating the credentials, “Alert Profile Account” will be displayed in “Message Delivery Settings” list.

NOTE: Any number of alert profile accounts can be added by following the above steps.

Step 2: Create Alert for Script Execution

Notifying the concerned authorities on the critical changes taking place in your servers and systems is vitally important. To create alerts for any modifications using LepideAuditor, simply follow the below steps:

Navigate to “Alerts” tab → “Auditing Alerts” tab.

1. Click “Add” icon under “Alert Report Settings” at the bottom of left panel.

2. In “Create Alert” window, select the operation(s) for which you want to create an alert. You can browse through all components and categories.

NOTE: Multiple reports can be selected for different server components.

3. Click “Next” to access “Set Filter” page of “Create Alert” wizard.

Configuring audit file system audit
Figure : Filters for the selected operation(s)

4. Select a report to access the filter and threshold options. For example, we have selected “User status Modifications”.

Now, whenever the status of a user is changed, the script would be executed to disable the specific user account.

NOTE: In such cases, you can execute a script to disable a user account with administrative privileges trying to change the status of other user accounts.

Here, you can do the following.

  • On the top part of the right panel, you can apply relevant filters that specify the exact condition of the selected operation. With more than 300 events to monitor, you can select any event and add a filter on it. This can be done to track the actions performed on specific files, folders, or objects by a user account.
  • The “Threshold alert” option on the bottom part of the right panel is disabled by default, so you have to check it to enable. This triggers an alert whenever the set threshold limit is reached for the selected event.

5. Click “Next” to proceed. You will be taken to the “Alert Settings” page.

Configuring audit file system audit
Figure : “Alert Report” window with Alert action displayed

6. For selecting a delivery method to send alert or to execute script, click “Add” button.

Configuring audit file system audit
Figure : “Add Alert Action” window with details for script execution

7. In “Add Alert Action” window, use drop-down menu to select “Execute Script”.

8. Now select the “File Path” of the script you wish to execute.

Here, we have used a script created by our developers which will disable a specific user whenever an event occurs. You will have to create a script file on your own. In our case, “testuser11” will be disabled whenever a user in the default “Users” container is disabled, enabled, locked out, or unlocked.

NOTE:
  • LepideAuditor does not guarantee the results of a user-created script.
  • The script should be selected from the local computer where LepideAuditor is installed.
  • Interactive scripts are not supported. LepideAuditor may not display a dialog box or wait to receive a user input.
  • Scripts should be created and run using a Windows Service, otherwise the required action might not be performed during script execution.

9. Click “OK” and it takes you back to the same “Alert Settings” page displaying a list of alert actions.

10. Select “Alert Type” from the drop-down menu at the bottom. You will find the following options:

  • Critical Error
  • Normal
  • Warning

11. Click “Next” to proceed. At the next page, you have to verify the properties of the alert.

12. Provide the name of alert in the textbox at the bottom.

13. Click “Finish”.

Consider a scenario where this alert will be executed whenever the status of one or more users will be changed to enable, disable, lockout or unlock. For example, testuser11 is disabled in our case.

The script will run, and the following notification will appear in LepideAuditor.

Configuring audit file system audit
Figure : Notification for script execution

The following screenshot shows you a disabled user account when the status of several user accounts were modified.

Configuring audit file system audit

Such alerts help to keep malicious activities at bay and enhance the safety of your network resources.

Adopting a proactive approach with LepideAuditor

Using LepideAuditor correctly will help you keep track of all changes being made in your network environment. The real-time alerts in our comprehensive Active Directory auditing solution contain granular event details to enable you to get the jump on potentially damaging changes.

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.