Introduction

Most of Field Effect MDR's analytics are enabled by default; however, some analytics that have the potential to create "noise" are not enabled by default. These analytics can be enabled by reaching out to support@fieldeffect.com. This article describes the additional analytics that are available to those that would like to leverage them. Please note that some of these analytics will require you to provide information (account/host names, regions, group names, etc.). So, please provide the required information when making your request.

ARO-Based Additional Analytics

The following sections describe our optional analytics that can produce an ARO, when enabled.

Options for the "Observed Devices Without Field Effect MDR Endpoint Agents" ARO

• By default, Field Effect MDR's reporting for devices without our endpoint agent is based on Windows Event Logs information. In environments where a network sensor is deployed, we can enable reporting for hosts based on hostnames observed in network traffic.
• Alternatively, we can also report hostnames observed without agents as soon as they are observed - instead of the current monthly rollup. This can create noise in large environments in particular, if staff members connect personal devices to corporate networks.

ARO on all Internal Remote Desktop Protocol (RDP) Connections

• Creates an ARO for all observed internal-to-internal RDP connections. This is recommended for clients that do not use RDP internally.
• Configurable to exclude a variety of combinations such as a particular user, or a particular user RDPing to a host, based on hostname or internal IP address.
  • When making your support request, please provide any exclusions would like to include.

ARO on Membership Changes to Global Security Groups

• Creates an ARO for all group membership changes.
• When making your support request, please provide a list of global security groups that you would like to include for this analytic.

ARO on all Account Upgrades to Administrator

• Creates an ARO every time any user account is upgraded to admin, based on the target SID values. This includes newly created accounts being added to admin groups.
• This configuration can also be augmented with specific group names that can be considered admins.
  • When making your support request, please provide the group names you would like to include for this analytic.

ARO on Active Directory (AD) related Windows Event Logs

• The following events can be configured to produce AROs:
  • WEL 4741: A computer account was created
  • WEL 4743: A computer account was deleted
  • WEL 4720: A user account was created
  • WEL 4728: A user was added to a group
  • WEL 4738: A user account changed
  • WEL 4722: A user account was enabled
  • WEL 4740: A user account was locked out
  • WEL 4725: A user account was disabled
• Each one can be enabled individually as required.
  • When making your support request, please specify which event IDs you would like to receive AROs for.

ARO on Authentication from Unauthorized Countries

• Creates an ARO any time a user successfully authenticates from an unauthorized country.
• This analytic can also be configured to auto-lock cloud accounts when observed authenticating from countries outside of this list.
• When making your support request, please provide your list of authorized companies.

ARO on the Addition of Any Azure Application

• By default, we report on applications that match a list of known malicious Azure application names. This optional reporting will ignore that list and report all new "Consent to Azure Application" events.

Lock Accounts on VPN Authentication

• Can be enabled for clients who do not allow any commodity VPN use on corporate devices, including all employee mobile devices used to access corporate cloud resources.