Computer Accounts Without Process Event

• Purpose: Identify anomalous activity by detecting computer account authentications without process creation activity for over 3 hours. 

• Check the Report: Review the computer accounts that match the criteria, and the amount of time that no processes were created.

• Why Important: Endpoints that authenticate but do not produce process creation events represent a critical blind spot for the SOC. Attackers can deliberately suppress telemetry to operate on these systems without detection.

Quick Guide:

• Review “Computer Accounts Without Process Event” Report

• Determine if the identified accounts are legitimate edge cases or further investigation is required.

Detailed Guide:

Overview

This use case focuses on identifying computer accounts that have authenticated to the environment but have not generated any corresponding process creation events for an extended period (over 3 hours).

Under normal operating conditions, authentication on an endpoint—whether interactive, service-based, or machine-level—is almost always followed by process execution activity (e.g., system services, scheduled tasks, user processes, or background agents).

This detection highlights endpoints where the SOC’s execution visibility may be degraded or completely absent.

The Risk Factor

The report is based on correlating authentication events with the absence of process creation events over a defined time window. The primary risks include:

• Loss of execution visibility

• Silent lateral movement

• Undetected persistence mechanisms

1. Attacker Strategy (External Threat)

Sophisticated adversaries prioritize telemetry evasion as part of post-exploitation and persistence phases (MITRE ATT&CK: Defense Evasion – T1562).

The Exploit

Once an attacker gains access to a system, they may:

• Disable or tamper with endpoint logging providers

• Kill or suspend EDR/AV sensors

The result is a system that continues to authenticate and communicate, but produces little to no execution telemetry.

2. Logging Gaps & Misconfiguration (Internal Risk) 

A significant portion of findings may stem from operational or configuration issues:

• Endpoint logging policies misapplied or partially deployed

• EDR agents installed but not actively reporting
  
  

Objectives

Reduce SOC Blind Spots:
Eliminate “quiet endpoints” that authenticate but provide no actionable telemetry for detection or investigation.

Actions

Generate Report With ESM

Follow the path to generate a "Computer Accounts Without Process Event” report for your Entities:
/All Reports/Mobula/Products/Microsoft/Microsoft Windows@Microsoft/Computer Accounts Without Process Event Over 3 Hours

How to generate a Report - Mobula - Generate Reports

Please review your entity’s “Computer Accounts Without Process Event” report and inform your SOC Team or Platform Manager which accounts require further investigation.

Recommendations

Investigate Systems
Endpoints that appear in this report should be treated as high-priority visibility gaps.

Verify Logging Configurations:
Make sure Process creation auditing is enabled.

Monitoring Best Practices with SIEM (ArcSight)

Continuous Review: Periodically review systems flagged by this report.

Conclusion

Computer accounts that authenticate without generating process creation events represent a high-risk visibility gap. Whether caused by attacker evasion or internal misconfiguration, the outcome is the same: the SOC loses the ability to detect execution-level activity on those systems.

By leveraging this detection use case, organizations can proactively identify silent endpoints, restore telemetry coverage, and prevent adversaries from operating undetected within the environment.

Windows Defender Exclusions

• Purpose: Define which exclusions from Windows Defender are approved.

• Check the Report: Check which artifacts are excluded (not scanned by Windows Defender) and make your organization vulnerable.

• Whitelist or block: Validate the necessity of the exclusion or remove it from the Windows Defender policy.

• Why Important: Attackers actively search for exclusion lists to hide malware, tools, and communication. If an artifact is excluded, Cyray’s SIEM cannot rely on the AV logs for that location, creating a blind spot.

Quick Guide:

• Review “Defender Exclusions” Report

• Validate if the exclusion is necessary or a security risk.

Detailed Guide:

Overview

The purpose of this guide is to present an explanation of the rule "Windows Defender Exclusions Added (rule:107)". This rule identifies and aggregates all exclusions performed on Windows Defender (per host).

Types of Windows Defender exclusions are:

• Paths - Specific files or entire directories (including subfolders)

• Processes - Files opened or created by a specific process/executable.

• Extensions - All files of a certain type (e.g., .exe, .vbs, .msi, .js) in any location.

• IP Addresses - network addresses communication

If excluded, Windows Defender is instructed to ignore these items during scans.

The Risk Factor

Our report is based on the detection of these exclusion options. The primary dangers are: 

1. Sophisticated attackers are aware that organizations configure AV exclusions.

2. “Blind spots” for unauthorized user activity.

1. The Attacker’s Strategy (External Threat)

Sophisticated attackers prioritize Exclusion Enumeration as a core component of Defense Evasion (MITRE ATT&CK T1562.001). Once an attacker gains initial access, their goal is to remain undetected for as long as possible.

• The Exploit: Attackers query the registry to find where the "shields are down." Once identified, they place their second-stage payloads, lateral movement tools, or Command & Control (C2) scripts in these excluded locations.

• The Benefit: By matching their activity to your exclusions, they can operate with administrative-level stealth, ensuring their tools are never scanned by the Real-Time Protection engine.

2. The Human Element & Shadow IT (Internal Risk)

A major risk stems from users/IT-staff who use exclusions to bypass organizational security policies.

• Unmonitored Downloads: Users often download unvetted "helper" tools, cracked software, or scripts into folders they know are excluded (like a project-specific C:\Dev or C:\Temp folder) specifically to prevent the Antivirus from "interfering."

• Bypassing Policy: By moving a blocked file into an excluded path, a user can execute potentially malicious code that the organization has already deemed high-risk, effectively neutralizing the entire security stack for that specific file.

• The Result: This creates "Safe Passages" where malware can be introduced into the network via legitimate user actions.

Operational Context

It’s important to examine the report findings. You will often see that the quantity of exclusions on a specific station is identical across the entire organization.

This strongly indicates:

• Centralized GPO-based exclusions

• Vendor-recommended exclusions applied broadly

• Lack of periodic exclusion review

 It must be determined whether the artifacts pose a risk and needs to be removed from the exclusion list, or if it is a legitimate business requirement.

Objectives:

Establishing a high-level overview of the organization’s current baseline exclusions provides critical insight into its current security posture. Through systematic review and remediation, we achieve the following:

• Elimination of Adversary Evasion Opportunities: Identify and close "non-inspected scopes" within the file system and network to prevent adversaries from utilizing these gaps to stage malicious payloads or perform lateral movement without detection.

• Enforcement of Scanning Coverage: Identify and prohibit unauthorized "blind spots" created by users or IT staff to ensure the antivirus scanning scope remains comprehensive and that no artifacts bypass real-time monitoring.

• Enforce Governance and Compliance: Ensure all exceptions to the security policy are formally documented and audited to meet mandatory data protection regulations and internal security frameworks.
  
  

• Reduce False-Positives: Filter out verified, low-risk administrative exclusions from the alert queue to focus SOC resources on novel or high-risk unauthorized exclusions.

Actions:

Generate Report With ESM

Follow the path to generate a "Defender Exclusions” report for your Entities:

/All Reports/Mobula/Products/Microsoft/Windows Defender Antivirus@Microsoft/Defender Exclusions/Defender Exclusions

How to generate a Report - Mobula - Generate Reports

Please review your entity’s report and inform your SOC Team or Platform Manager which exclusions are approved and can be excluded from SIEM alerting, and which should be removed from the Windows Defender exclusion list.

Recommendations:

• Address Global Policy Vulnerabilities: If you identify identical exclusions across the organization (e.g., C:\Temp is excluded on all hosts), this indicates a high-risk Group Policy (GPO) configuration. Contact the client with a clear risk assessment:
  "Our analysis has identified that C:\Temp is excluded from antivirus scanning globally. This creates a non-inspected scope that adversaries can leverage to stage malware or lateral movement tools without detection. We recommend restricting this exclusion to specific sub-folders or removing it entirely."
  
  

• Minimize the Attack Surface: Adopt a "Least Privilege" approach to exclusions. Only exclude artifacts if they are strictly required for a critical application to function.

  • Prohibited: Never allow broad directory exclusions such as C:\Users\, C:\Windows\, or C:\Windows\System32.

  • Preferred: If a database requires an exclusion, exclude the specific Process (e.g., sqlservr.exe) or the specific data folder, rather than the entire drive.

• Eliminate "Safe Zones": Be vigilant of common user-created paths like C:\Downloads or C:\Public. These exclusions effectively create trusted zones within the endpoint where malicious files, scripts, or Command & Control (C2) communications can operate with absolute stealth.
  
  

• Review Vendor Requirements: Software vendors often provide "lazy" exclusion lists to simplify troubleshooting. Challenge these requirements and verify if the exclusion is for a legitimate performance conflict or simply to avoid a standard security scan.

Risks:

1. File System Blind Spots (Path & Extension Exclusions):

• The "Safe Haven" Effect (Path Exclusions): Excluding specific directories (e.g., C:\Temp or C:\Users\Public)
  Risk: creates a verified safe zone for attackers. Malware dropped in these locations will not trigger an alert, even if the file signature is known to the antivirus engine. This allows for the undetected staging of malware or lateral movement tools.

• Payload Obfuscation (Extension Exclusions): Broad extension exclusions (e.g., .log, .txt, or .db)
  Risk: allows attackers to bypass scanning by simply renaming malicious executables or scripts to match the whitelisted extension. The Windows Defender ignores the file content entirely, allowing malicious code to reside on the disk undetected, and it can be executed by adversaries through different techniques.

2. Behavioral Evasion (Process Exclusions):

• Process Masquerading & Injection: Excluding a process (e.g., backup_agent.exe) instructs Windows Defender to ignore file operations performed by that executable.

• Risk: Attackers may rename their malware to match the excluded process name. This grants the attacker a "trusted actor" status, allowing them to install payloads or wipe logs without behavioral monitoring intervention.

3. Network Security Gaps (IP Address Exclusions):

• Unmonitored C2 Communication: IP exclusions apply to the Network Protection layer. By excluding an IP address, the organization permits traffic to flow to that destination without inspection.

• Risk: If an excluded IP is compromised or belongs to an attacker, it can be used for Command & Control (C2) communication, data exfiltration, or the delivery of exploits.

Monitoring Best Practices with SIEM (ArcSight):

• PoC & Onboarding Strategy (Day 1): Run this report on the very first day of a PoC or Onboarding. It provides immediate "Shock Value" by showing the client exactly where their Anti-Virus is blind. Use this opportunity to set up the Report Generator for them, ensuring they receive a weekly automated summary of these blind spots.
  
  

• Handle Identical Exclusions (GPO): If you see the same exclusions across all workstations (e.g., via Group Policy), notify the entity and then exclude these specific paths in the SIEM.

• Action: Send an assertive email explaining that you have excluded these paths from monitoring to reduce noise, but warn them of the risks.

• Goal: The client must decide: either fix the GPO to remove the risk (so we can remove the whitelist), or accept that these paths remain unmonitored.
  
  

• Transition to "Active": Once you have finished the initial cleanup, whitelisting the "Identical GPO" exclusions and resolving any specific findings, mark the rule as Active for this specific entity. Any new exclusion added after this point must be treated as a live security incident.

  • Refer to the following guide for instructions on changing the “customer” rule stage: Rule Staging - Main Guide

Global Recommendations:

• Restrict Access: Ensure that only Domain Admins have the rights to add exclusions via Group Policy.

• Educate Users: Explain to the IT team that "Exclusion" is not a "Fix" for performance issues, it is a removal of security.

• Review Vendor Documentation: When software vendors recommend exclusions, verify if they are strictly necessary or just a lazy recommendation to avoid troubleshooting.

Conclusion:

In conclusion, effective management of Windows Defender Exclusions is critical. While intended to solve compatibility issues, these settings are frequently weaponized by threat actors to evade detection. By utilizing this detection rule, organizations can visualize their security blind spots and regain visibility over unmonitored areas of the network.

Ultimately, by following these recommendations, specifically regarding the identification of these gaps during the "Onboarding" phase, organizations can systematically close off hiding spots for attackers and strengthen their overall cybersecurity resilience.

Troubleshooting:

The report is empty

• Contact your SOC team to check if the rule is active and if the endpoints are correctly forwarding Windows Defender logs to the SIEM.

• If all are monitored and no exclusions exist (rare).

• Purpose: Guarantee complete coverage of organization servers by updating them to supported versions.

• Check the List: Examine all end-of-life systems within your organization.

• Approve or Update: Identify and label "EOL" or old systems and update them.

• Why Important: These systems lack official support or security patches, leaving them vulnerable to potential security threats. 

Quick Guide:

• Examine all end-of-life systems within your organization.

• Identify and label "EOL" or old systems and update them if possible. 

Detailed Guide:

Overview

The "Windows OS Versions - End of Support" initiative aims to ensure the security and stability of organizational servers by identifying and addressing end-of-life systems. As Windows operating systems reach the end of their support lifecycle, they no longer receive security updates or official technical support from Microsoft. This leaves them vulnerable to emerging threats and compromises the overall security posture of the organization.

By conducting a thorough review of all systems within the organization, including servers running outdated Windows versions, IT administrators can identify and mark these end-of-life systems. This process involves verifying the status of each server and determining whether it is still supported by Microsoft or has reached its end of support date.

Once identified, these end-of-life systems can be prioritized for updates or replacements to ensure that the organization's infrastructure remains secure and compliant with industry standards. Failure to address end-of-life systems may expose the organization to security risks, compliance issues, and operational disruptions.

Objectives

• Identification: Identify all servers within the organization that are running end-of-life Windows operating systems.

• Assessment: Assess the current status and usage of each identified server to determine its criticality and impact on organizational operations.

• Compliance: Ensure compliance with industry regulations and standards that require the use of supported and secure operating systems.

• Continuous Improvement: Continuously monitor and update the end-of-life systems management process to adapt to changing technology landscapes and emerging security threats.

Actions

Windows OS Versions - End of Support

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Compliance/AD Computers/Windows OS Versions - End of Support

Please review your entity's report and send it to him so that he can update all the EOL’S servers.

How to generate a Report - Mobula - Generate Reports

Mobula App

Generate a report of Privileged Groups using the Mobula Application and inform your SOC Team / Platform Manager if all of your sensitive groups are listed in the report.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Windows OS Versions - End of Support

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Windows OS Versions - End of Support 

4. Task Update

5. Choose the status and click save.

Recommendations

• Documentation: Maintain accurate records of end-of-life systems, including their version, support status, and associated risks.

• Prioritization: Prioritize the update or replacement of end-of-life systems based on factors such as criticality, risk exposure, and compliance requirements.

• Mitigation: Take proactive measures to mitigate security risks associated with end-of-life systems, such as implementing compensating controls or security patches where feasible.

• Migration: Plan and execute migration strategies to transition away from end-of-life systems to supported Windows versions or alternative platforms.

Conclusion

In conclusion, the "Windows OS Versions - End of Support" initiative is critical for maintaining the security and stability of organizational servers. By identifying and addressing end-of-life systems, organizations can mitigate potential security threats and ensure compliance with industry standards. Through thorough examination, labelling, and updating of end-of-life systems, IT administrators can safeguard sensitive data and mitigate operational disruptions.

Overall, the "Windows OS Versions - End of Support" initiative plays a crucial role in safeguarding organizational servers and mitigating potential security risks. It is essential for organizations to proactively address end-of-life systems to protect sensitive data and maintain operational continuity.

• Purpose: Review and approve all active users of the organization

• Check the List: To see all users from your AD 

• Approve or Disable: Approve active users or disable inactive users

• Why Important: Inactive users in your AD pose the organization in risks

Quick Guide:

• Review all Users list

• Disable inactive users or approve the list

Detailed Guide:

Overview

Analyzing the user roster extracted from the customer's Active Directory allows for the identification of inactive users, thereby mitigating potential security risks associated with dormant accounts. This proactive approach to user management ensures a streamlined and secure organizational environment.

Objectives

• Ensure the accuracy and completeness of user records within the Active Directory.

• Identify and address inactive user accounts to reduce security vulnerabilities.

Actions

All Users Order By Login Time

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Compliance/AD Users/Compliance - All Users Order By Login Time

Please review your entity's report and send it to him so that he can check whether all the users in the report are valid.

How to generate a Report - Mobula - Generate Reports

App

Generate a report of “All Users Order By Login Time” using the Mobula Application and inform your SOC Team / Platform Manager if all of your users that listed in the report are valid and active.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. All Users Order By Login Time

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. All Users Order By Login Time

4. Task Update

5. Choose the status and click save

6. 
   

Recommendations

Implement proactive user management practices to maintain a secure organizational environment.

Global Recommendations

• Review Login Times: Pay particular attention to user login times and patterns to spot irregularities that may indicate unauthorized access or dormant accounts.

• Implement Policies: Establish clear policies and procedures for user account management, including guidelines for disabling or removing inactive accounts after a defined period of inactivity.

• Training and Awareness: Provide training to IT administrators and staff on the importance of active user management and the potential risks associated with inactive accounts.

• Regular Reviews: Schedule regular reviews of user accounts with relevant stakeholders to ensure accountability and adherence to established policies.

• Documentation: Maintain thorough documentation of user account management processes and actions taken to address inactive accounts for audit and compliance purposes.

• Collaboration: Foster collaboration between IT, security, and HR teams to ensure comprehensive user account management, including timely removal of accounts for employees who have left the organization.

Conclusion

Effective management of user accounts in the Active Directory is crucial for maintaining a secure organizational environment. By regularly auditing user accounts, identifying inactive users, and implementing proactive user management practices, organizations can mitigate potential security risks associated with dormant accounts. It is essential to establish clear policies, provide training to staff, and collaborate between IT, security, and HR teams to ensure accountability and adherence to established procedures. Through these efforts, organizations can reduce the likelihood of unauthorized access and maintain a streamlined and secure Active Directory environment.

• Purpose: Identify potential security vulnerabilities associated with clear-text passwords.

• Check the List: Verify the existence of passwords stored in clear text within the organization's AD.

• Approve or Update: Decide whether to approve the current state of passwords in clear text or update them to a more secure form (e.g., hashed, encrypted). 

• Why Important: Identifying and addressing clear-text passwords helps prevent unauthorized access to sensitive systems and data.

Quick Guide:

• Review the report 

• Update the users to use a more secure form (e.g., hashed, encrypted) 

Detailed Guide:

Overview

• Provide an overview of the current state of passwords stored in clear text within the organization's AD.

• Highlight the potential security implications and risks associated with clear text passwords.

• Emphasize the importance of proactive measures to address this security concern.

Objectives

Actions

 Passwords in ClearText

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Compliance/Passwords/Password Provided in Clear Text

Please review your entity's report and send it to him so that he can check whether all the Data in the report isn’t risky.

How to generate a Report - Mobula - Generate Reports

App

Generate a report of Passwords in ClearText using the Mobula Application and inform your SOC Team / Platform Manager if all the information is legit.

If the information listed in the Report is approved, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Passwords in ClearText

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Passwords in ClearText

4. Task Update

5. Choose the status and click save.

Recommendations

• Implement strong password management policies and practices, including regular password rotations and enforcing complex password requirements.

• Utilize secure password storage mechanisms such as hashing or encryption to protect sensitive credentials.

• Educate employees on password security best practices, including the importance of creating strong, unique passwords and avoiding password reuse.

Risks

• Unauthorized access: Clear text passwords can be easily compromised, leading to unauthorized access to sensitive systems and data.

• Data breaches: Exploiting clear text passwords can result in data breaches, exposing confidential information and causing financial and reputational damage to the organization.

• Compliance violations: Storing passwords in clear text may violate regulatory requirements and industry standards related to data security and privacy.

Conclusion

Passwords stored in clear text pose a significant security risk to organizations, making them vulnerable to unauthorized access and data breaches.

By proactively identifying and addressing clear text passwords, organizations can strengthen their security posture, reduce the likelihood of security incidents, and safeguard sensitive information from unauthorized access.

• Purpose: Identify and address potential security vulnerabilities.

• Check the List: Verify users with compromised passwords, looking for signs of breach database matches or weak password patterns.

• Approve or Update: Review and take action, either approving if reset or updating.

• Why Important: Safeguarding against unauthorized access, ensuring the security of your organization's systems and data.

Quick Guide:

• Review the report

• Approve, reset or update by enforcing a password reset. 

Detailed Guide:

Overview

The Possible Compromised Passwords report provides insights into accounts within your organization's Active Directory that may have passwords at risk of compromise. By flagging these accounts, the report aims to prompt action to strengthen password security and mitigate potential security risks.

Objectives

• Identify compromised passwords within the organization's Active Directory.

• Promptly address compromised passwords to mitigate potential security risks.

• Enhance password security measures to prevent unauthorized access and data breaches.

• Ensure compliance with industry regulations and standards regarding password management and security.

Actions

Possible Compromised Passwords

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Compliance/AD Users/Compliance - Possible Compromised Passwords

Please review your entity's report and send it to him so that he can check whether all the Data in the report isn’t risky.

How to generate a Report - Mobula - Generate Reports

App

Generate a report of Possible Compromised Passwords using the Mobula Application and inform your SOC Team / Platform Manager if all the information is legit.

If the information listed in the Report is approved, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Possible Compromised Passwords

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Possible Compromised Passwords

4. Task Update

5. Choose the status and click save.

Recommendations

• Enforce strong password policies requiring passwords to be complex, regularly updated, and not reused across multiple accounts.

• Implement multi-factor authentication (MFA) to add an extra layer of security beyond passwords.

• Provide ongoing education and training to users on password hygiene practices to reduce the risk of compromised passwords.

Risks

• Compromised passwords can lead to unauthorized access to sensitive information, data breaches, financial loss, and damage to your organization's reputation.

• Failure to address compromised passwords promptly can result in compliance violations and regulatory penalties.

Conclusion

Addressing possible compromised passwords is essential for maintaining a robust security posture and safeguarding your organization's systems and data. By proactively identifying and mitigating compromised passwords, you can reduce the risk of unauthorized access, data breaches, and compliance violations, enhancing overall security resilience and protecting your organization's reputation.

• Purpose: Identify users who haven't changed their passwords in an extended period.

• Check the List: Ensure that all users in the list are still active and require access.

• Approve or Update: Ensure password policies are enforced.

• Why Important: Mitigate the risk of compromised accounts due to stale or weak passwords.

Quick Guide:

• Review the list of Users Didn't Changed Password For Long Time.

• Configure your AD/GPO settings.

Detailed Guide:

Overview

This report highlights users in your organization who have not updated their passwords within a specified timeframe. Regularly changing passwords is a fundamental security measure to protect against unauthorized access and potential breaches.

Actions

Report

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Compliance/AD Users/Compliance - Users Didnt Changed Password For Long Time

1. Right-click on the report from the “Navigator” tab.

2. Run -> Report

3. Select a customer and click ok.

4. If you wish to download the report, you will need to change the format to “PDF” and “Email Format” to “Attach Report”.

Please review your entity's report and send it to him so that he can be acknowledged with the information provided.

How to generate a Report - Mobula - Generate Reports

App

Generate a report of Users Didn't Change Passwords for a Long Time using the Mobula Application.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Users Didn't Change Passwords for a Long Time

4. Related Report

5. Generate a report (the report will be sent to your email)

Later you can generate this report once in 24 Hours by navigating to:

1. Options menu

2. Reports

3. Compliance - Users Didn't Changed Password For Long Time

4. Generate Report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Users Didn't Change Passwords for a Long Time

4. Task Update

5. Choose the status and click save.

Recommendations

• Regular Audits: Schedule regular audits to identify users who need to update their passwords.

• User Education: Educate users about the importance of changing passwords and how to create strong, secure passwords.

• Enforcement: Implement and enforce policies that require periodic password changes.

• Automation: Use automated tools to remind users to change their passwords before they expire.

Risks

• Account Compromise: Stale passwords increase the risk of account compromise through brute force or credential stuffing attacks.

• Data Breach: Compromised accounts can lead to unauthorized access to sensitive data and systems.

• Regulatory Non-compliance: Failing to enforce password change policies can result in non-compliance with security regulations and standards.

• Reputational Damage: Security breaches due to weak passwords can damage the organization's reputation and trustworthiness.

Monitoring Best Practices with SIEM (ArcSight)

• Regular Reviews: Conduct regular reviews of the password policies and the adherence to these policies.

• User Support: Provide support and resources to help users change their passwords and understand the importance of this practice.

Conclusion

Ensuring that users regularly change their passwords is a critical aspect of maintaining a secure IT environment. By following the recommendations and best practices outlined in this guide, you can significantly reduce the risk of security incidents related to outdated passwords. Regular monitoring and user education are key components in upholding strong security standards and protecting your organization from potential threats.

• Purpose: Identify users who have not logged in during the past year.

• Check the List: Cross-check with current employee status (terminations, leaves).

• Approve or Update: Remove/disable accounts that are confirmed to be inactive.

• Why Important: Prevent unauthorized access by eliminating unused accounts.

Quick Guide:

• Review the list of Inactive Users

• Configure your AD settings.

Detailed Guide:

Overview

The report provides a comprehensive list of users who have not logged into the AD within the past year. This overview helps organizations identify accounts that may no longer be necessary, potentially reducing security risks associated with dormant accounts.

Actions

Report

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Compliance/AD Users/Compliance - Users that have not Logged in

1. Right-click on the report from the “Navigator” tab.

2. Run -> Report

3. Select a customer and click ok.

4. If you wish to download the report, you will need to change the format to “PDF” and “Email Format” to “Attach Report”.

Please review your entity's report and send it to him so that he can be acknowledged with the information provided.

How to generate a Report - Mobula - Generate Reports

App

Generate a report of ”Users that have not Logged in Last Year” using the Mobula Application.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. ”Users that have not Logged in Last Year”

4. Related Report

5. Generate a report (the report will be sent to your email)

Later you can generate this report once in 24 Hours by navigating to:

1. Options menu

2. Reports

3. Compliance - Users that have not Logged in Last Year

4. Generate Report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Users that have not Logged in Last Year

4. Task Update

5. Choose the status and click save.

Recommendations

• Regularly review the report to keep the AD clean and secure.

• Coordinate with HR and department heads to verify user status.

• Implement a policy for the timely deactivation of inactive accounts.

• Educate users on the importance of account activity and security practices.

Risks

• Dormant accounts pose a security risk as they can be exploited by malicious actors.

• Unmanaged inactive accounts may lead to compliance issues.

• Potential data breaches due to unused accounts being overlooked during security audits.

• Increased administrative burden from managing a cluttered AD.

Monitoring Best Practices with SIEM (ArcSight)

• Schedule regular reviews (e.g., quarterly) of inactive user reports.

• Integrate automated tools to flag inactive accounts.

• Implement multi-factor authentication (MFA) for an added layer of security.

• Maintain clear documentation of actions taken on inactive accounts.

Conclusion

Regularly generating and reviewing reports of users who have not logged in during the past year is a crucial step in maintaining a secure and efficient AD environment. By identifying and managing inactive accounts, organizations can significantly reduce security risks, ensure compliance, and improve overall account management practices.

• Purpose: Identify users with the "Password Never Expires" (PWNE) option enabled.

• Check the List: Verify if users listed with PWNE are still need this setting.

• Approve or Update: If users have legitimate reasons for PWNE, approve the current list, Or Update AD settings to remove PWNE where unnecessary.

• Why Important: Mitigate security risks associated with non-expiring passwords.

Quick Guide:

• Review the list of users with PWNE option.

• Configure your AD settings.

Detailed Guide:

Overview

"Password Never Expires" (PWNE) is a setting in Active Directory that prevents a user's password from expiring. While this can be useful for service accounts or certain users, it poses significant security risks if overused or mismanaged. The PWNE report helps identify these accounts, providing a clear view of potential vulnerabilities.

Actions

Report

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Compliance/AD Users/Compliance - Users with Password Never Expires

1. Right click on the report from “Navigator” tab.

2. Run -> Report

3. Select a customer and click ok.

4. If you wish to download the report, you will need to change the format to “PDF” and “Email Format” to “Attach Report”.

Please review your entity's report and send it to him so that he can be acknowledged with the information provided.

How to generate a Report - Mobula - Generate Reports

App

Generate a report of ”Users with Password Never Expires” using the Mobula Application.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. ”Users with Password Never Expires”

4. Related Report

5. Generate a report (the report will be sent to your email)

Later you can generate this report once in 24 Hours by navigating to:

1. Options menu

2. Reports

3. Users with Password Never Expires

4. Generate Report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Users with Password Never Expires

4. Task Update

5. Choose the status and click save.

Recommendations

• Regularly review the PWNE report to ensure it reflects the current organizational structure.

• Limit the use of PWNE to essential service accounts and critical users only.

• Implement a policy requiring strong, complex passwords for all accounts, including those with PWNE.

• Establish a process for the periodic review and approval of PWNE settings.

Risks

• Security Breaches: Non-expiring passwords are more susceptible to being compromised, as they are not routinely updated.

• Compliance Issues: Failure to adhere to password policies can result in non-compliance with industry standards and regulations.

• Internal Threats: Compromised internal accounts with PWNE can be used to escalate privileges or access sensitive data.

Monitoring Best Practices with SIEM (ArcSight)

• PWNE rules: There are alerts that will notify when new accounts are granted PWNE status.

• Regular Audits: Conduct regular audits of the PWNE report to ensure continuous compliance and security.

• Role-Based Analysis: Analyze the roles and responsibilities of users with PWNE to confirm if non-expiring passwords are warranted.

• Access Control Checks: Regularly verify access permissions for PWNE accounts to ensure they are appropriate and limited to necessary resources.

• User Training and Awareness: Educate users about the risks associated with PWNE and encourage adherence to best password practices.

Conclusion

The PWNE report is a vital tool for maintaining the security and integrity of your Active Directory environment. By regularly reviewing and managing accounts with the PWNE setting, you can reduce the risk of unauthorized access and ensure compliance with security policies. Adopting the outlined best practices and recommendations will help safeguard your organization against potential threats and vulnerabilities associated with non-expiring passwords.