PowerShell Audit Script Managed by Continuum Portal

Requirements:
Audit script that upon a recognized event, sends notifications to given email address with the relevant alert.

The script is run thru an interface using the continuum portal (https://www.continuum.net/) , to a series of customers who have Windows computers.  Access to this portal will be provided.

The script will leave a text file (xml is fine) that holds local configuration data.  No encrypted data on the local machine is permitted.

Audit of the Desktop & Laptop Computer Systems including:

  1. Usage of computers outside normal business hours (custom per practice timeframes)
  2. Unauthorized access attempts (as recorded in the system logs)
  3. Listing of when external hard drives are attached and if they are secure
  4. Encryption confirmation of hard drive
  5. Device relocation (stolen, etc) thru network interface monitoring
  6. Configuration change to each computer system

The script sends two types of alerts:

  • Notice – based on business logic in our service, a notice is sent if an audit is slightly outside of the boundary.
  • Warning – This is a concern that will require the attention of the compliance officer. These are compiled and emailed to the compliance officer weekly, or daily based on severity.

Specific rules:

User Login timeframes:

  • If a computer log shows USER login after 5pm and before 8pm weekdays, a NOTICE is generated.
  • If a computer log shows USER login after 8pm and before 7am weekdays, a WARNING is generated.

Unauthorized access attempts

  • Logs are scanned for 3 or more attempts to access within a 15 minute period. If 3 or more are detected, a NOTICE is generated.
  • If 5 or more are detected, a WARNING is generated.

External Hard Drive

  • Attaching of any external hard drive or USB will generate a NOTICE
  • Attaching of any external hard drive or USB that is NOT encrypted will generate a WARNING

Network Interface

  • If the computer changes the last octet of the IP address (possibly moved in the building), a NOTICE is generated.
  • If the computer changes the IP more substantially, the SNM or the Gateway, a WARNING is generated.

waring_allerts

facebooktwittergoogle_plus

Leave a Reply

Your email address will not be published. Required fields are marked *