KBI 312007 Missing Alerts For Compliance Penetration Testing Events
Version
Argent for Compliance — All Versions
Date
Thursday, 11 August 2022
Summary
This is about Argent for Compliance monitoring on Windows Security Events
A customer was preparing security penetration testing and found the number of Argent alerts appeared ‘way smaller’ than the number of simulated events
Technical Background
Argent for Compliance enables customer to instantly alert on Windows Security events, such as:
— Active Directory Account Creation
— Failed Logon
— Domain Policy Change
— Active Directory Group Change
Argent supports customer to optionally configure alerting behavior, such as:
— Fire Individual Events
— Combine Events With Latest Description
— Combine Events With Full Description
The above options are configurable at Supervising Engine Level and Rule Level.
Event Format setting at Supervising Engine Level applies to All Rules that set to {Use System Default}.
Customer can optionally assign different Event Format setting for specific rule, without changing behavior globally.
Example of Event Format Setting at Supervising Engine Level
Example of Event Format Setting at Rule Level
Example of Fire Individual Events
For example, customer simulated failed logon and want to check Argent Alerts.
Since Windows registers each failed logon as single event, using Fire Individual Events will gives one email alert for EACH failed logon event.
The option allows customer to more easily match number of alerts to number of detected events.
The trade-off is potential large number of alerts depending number of possible detected events.
Example of Combine Events With Latest Description
This option gives ONE email with description of the latest event only, additional events of its kind will be shown as timestamps only.
The advantage is smaller number of alerts while maintaining visibility of event timestamps.
The trade-off is lack of in-depth details for individual events.
Example of Combine Events With Full Description
This option gives ONE email showing FULL description of ALL detected events.
Therefore, the body of the email will be much larger.
The advantage is smaller number of alerts while maintaining full visibility of event context.
The trade-off is longer email body to read and it can be harder to cross check number of detected events.
Customer should also carefully review Rule option: Post Event Even If Same Event Is Still Outstanding (Unanswered).
When set to ON
Argent will always fire alert, no matter there is outstanding event of its kind or not.
When set to OFF
Argent will fire alert ONLY when there is currently NO outstanding event of its kind.
For event monitoring, the above option is typically set to ON to ensure new events are detected and alerted all time.
Example of Rule Option: Post Event Even If Same Event Is Still Outstanding (Unanswered)
Example of Post Event Even If Same Event Is Still Outstanding (Unanswered) is set to OFF.
When Argent detected new events while there is an outstanding event of its kind on Argent Console, Alert is NOT fired and Trace Log will show message like below.
In a case study, customer assigned Event Format Setting as ‘Combine Events With Latest Description’ at Supervising Engine Level.
At the same time, Rule’s Event Format Setting was assigned as {Use System Default}.
Argent was designed to fire ONE alert combining multiple events according to the above settings.
Thus, the number of email alerts appeared to customer “way smaller” than the number of simulated events.
Resolution
Customer to review the above settings, understand pros and cons, and then decide optimal configuration.
It is critical to estimate the number of possible events and alerts before action.
If unsure, contact Argent support anytime.