I know IDR has a great way to automatically list out all detected shared accounts as shared below:
Would it be possible to get some advice on this. Either of these points actually works fine with me as long there’s a way.
Is there a way to get this kind of representation in Dashboard Cards?
Just want to atleast generate a scheduled report detailing such info say everyday or once a week or something.
If possible, is there a way to create a custom alert if there’s this kind behavior detected?
I actually tried creating one but am struggling to create my query since i can’t just have something like source_account != target_account.
Having the above screenshot as a reference to validate my query result I notice there’s a big difference. One of those is that the logline sometimes doesn’t have the source_account or source_user fields.
Or is this something that cannot be done directly because it is part of the UBA algorithm?
Also I noticed that the readily available data cannot be sorted based on the latest event so one need to check per rows and see which is the latest.
Hope to get some advice on this.
you can’t have multiple accounts in Dashboard Cards right now, because the data is completely separate.
We are working on a feature though to make all investigations of all your accounts visible in the investigation management. I would recommend opening a feature request with your use-case.
To your second question: If you want to compare two fields, you need to use two equal signs:
(Returns log events where the key values are not the same. You can input strings or numeric values)
For sorting try
Thank you very much for your reply and advice on the above especially on the query.
Going back to the Shared Account data as a Card Representation, I actually seem to remember that this was available before the Dashboard Tab was upgraded. I was just surprised when I checked recently and it was missing and I thought I remembered incorrectly.
Now it seems I was right on this as skimming through your documentation, it is stated there, so I guess it really was removed? Perhaps, it would be considered faster if I requested it to be loaded again in the system…
Reference: Add and Manage Cards | InsightIDR Documentation
We need to check with the team to find out when the card was removed from the library.
For now, if you want to present shared account data in a dashboard you should be able to do so with this query:
where(source_account!==destination_account) groupby(destination_account) calculate(unique:source_account) sort(DESC)