Video Screencast Help

CSP Monitoring Edition Active Directory Change Monitoring

Created: 19 Apr 2013 • Updated: 19 Apr 2013 | 6 comments
Justin Starr's picture

I am needing to know if CSP Monitoring Edition will provide Active Ditectory Change monitoring like the full version of CSP does. I havea customer who does not need the full version if this is available through the Monitoring Edition. I have dug through all of the resources i can find but have not found this feature specifically listed in the monitoring edition of CSP. Can anyone assist? Thanks.

Operating Systems:

Comments 6 CommentsJump to latest comment

Will V's picture

Justin,

Monitoring Edition is the HIDS only version of CSP.  Can you be a little more specific as to what you are trying to monitor in AD?  You should be fine, but a fuller description of what you're trying to do will help get the exact answer you're looking for.

And there's nothing to prevent you from crafting the exact policy you need starting from the Windows Template Policy.

Cheers!

 

Please mark posts as the solution if they solve your problem!

Justin Starr's picture

Thanks for the reply Will. I am looking for duplicate functionality of the Detection policies in the full version. Specifically, monitoring for user and group changes within AD. Thanks again. Justin

Will V's picture

Gotcha.  So those are mostly monitoring log events.  I don't think that's available in the monitoring edition as that's (from my understanding) used only for configuration monitoring.

Someone fact check me here...

Chuck?

Chris?

 

Please mark posts as the solution if they solve your problem!

Chuck Edson's picture

As long as the event in question appears in on of the NT Event logs, you can get this event into CSP using detection.  Sometimes it is necessary to turn up the volume on the Windows logging to get what you are looking for (like the user names who touched a file, which you can get by enabling full object auditing), 

The Windows Baseline Detection Policy comes with the Monitoring Edition of CSP, and that will get you the ability to get all the AD events that you should need.  AD logs most changes by default, and CSP can pick these up.  

Take a look at the Baseline Detection policy, the options are too numerous to list here.  

 

 

 

 

If a post helps you, please mark it as the solution to your issue.

MFox70's picture

Be wary, the license for Monitoring edition very carefully stipulates exactly which IDS components can be used.

 

I am not sure if CSP monitoring edition is going to be in the price book for much longer, best to talk to the customer about Server/workstation editions to guarantee success.

muydess's picture

The monitoring edition provides full IDS functionality, what you do not get is IPS functionality.  You will not be able to turn on prevention policies.  But we have monitoring only on our domain controllers and it captures the events as per the policy I have applied.