Tom Kemp's Centrify Blog

Centrify Insight - our Splunk App - Enhanced to Improve Visibility into Risks Associated with User Access and Activity

Wednesday, August 1, 2012

Centrify Insight was recently updated on splunkbase to version 1.3. As I have previously blogged, Centrify Insight is a free monitoring and reporting tool built on Splunk that helps you identify and analyze authentication, authorization and other events taking place on the UNIX, Linux and Mac systems managed by Centrify Suite or Centrify Suite Express.

Frequently our customers have told us that while they rely on Centrify to provide complete granular control over their UNIX and Linux systems, they leverage Splunk side by side with Centrify for visibility into the access and health of those same systems. As a result Centrify is a strong supporter and partner of Splunk. In the past year we have done several joint events including Centrify appearances at Splunk Live events, a joint webinar espousing the benefits of the Windows and Active Directory apps from splunk in combination with Centrify Insight and we have contributed as guest bloggers for Splunk. We look forward to continuing and expanding this vital partnership in the coming quarters.

One more thing: Centrify is a sponsor and will be appearing at the upcoming Splunk .conf at the Cosmopolitan Hotel in Las Vegas, September 10th through the 13th. We will have a booth showing off the latest version of Centrify Insight as well as the Centrify Suite and would love to talk with you and show you a demo. See you there!

But back to this post…In this blog post I would like to highlight a few of the main features of Centrify Insight. In addition, Centrify Insight version 1.3 adds several exciting new dashboards and features that I would like to introduce to you.

Remind me: What is Centrify Insight?

Centrify Insight provides real-time visibility into the management of, and access to, UNIX and Linux systems protected by the Centrify Suite. Centrify Insight also provides reports and forensics with respect to changes made in Active Directory, management of Centrify Zones and the health of DirectControl agents. Centrify Insight is a Splunk application that listens to Active Directory domain controllers and security event logs, as well as *NIX logs and the Centrify Suite logs to provide the type of insight you need to answer security and forensic questions about Centrify secured systems. Centrify Insight uses Splunk as an enabling platform to provide operational intelligence on the local *NIX system and Active Directory accounts, identity, access, roles and health of Centrify protected systems. And best of all, Centrify is making this available for FREE!!!

What are the main features and benefits of Centrify Insight 1.3?

The Centrify team has been hard at work improving the capabilities, adding features and adding support for the most recent releases of the Centrify Suite and the Splunk platform.

As a reminder, Insight 1.0 initially provided answers regarding changes to Active Directory objects in order to answer questions such as “When and who changed a user, group or computer object in Active Directory” and “What attribute(s) were changed and what were the previous value(s)”. In a similar manner Insight tracked Centrify Zone changes to answer questions such as "Who Zone-enabled a user, effectively provisioning access to all systems in that Zone?” or "What attributes were changed in the Zone object and what were the previous values?". For Insight 1.3, support for the latest Zones (including hierarchy and inheritance) has been updated.

Centrify Zone Activity

Centrify Zone Activity search pane allows you to search for any Centrify object type including changes, adds and deletes in a Zone or across many zones.

In the several iterations since Insight 1.0 including this latest 1.3 version, we have added many other important features and benefits:

  • Monitor all system access attempts on systems protected by the Centrify Suite.
    • Raise the visibility of system access by local users or Active Directory users including both failed and successful access attempts. Report on a single system or across all systems.
    • Alert on suspicious access activities including password change attempts.
  • Gain visibility into user access to UNIX and Linux systems protected by the Centrify Suite.
    • Mitigate insider threats by understanding a user’s access behavior including login attempts, login methods, user types and trends over time.
    • Reduce business risk by centrally capturing and continuously monitoring all activity by all users to your business critical systems.
  • Centrally monitor the health and status of Centrify agents.
    • Improve operational efficiency and maximize system availability through alerting on any agents that are not properly connecting.
    • Simplify troubleshooting and speed issue resolution by centrally searching and reporting on agent configuration and log files.

What are some of the key capabilities of Centrify Insight 1.3?

One of the primary use cases for Centrify Insight is to monitor all system access attempts on systems protected by the Centrify Suite. This includes both successful and failed logon attempts by users who are either managed locally or in Active Directory. Centrify insights can also breakdown access methods (e.g. console, ssh, su), the top users accessing systems, password change attempts and even users who have access to systems but who have not logon for a period of time.

Systems Access

Systems Access dashboard shows statistics of user/group/computer accounts, password changes and user login attempts.

In addition to monitoring system access to particular systems, you can pivot and examine, report and alert on users access activity.

Login Statistics Overview

Login Statistics Overview dashboard shows summary information for systems protected by the Centrify Suite.

Finally, you can centrally monitor the health and availability of the Centrify Agent from a single dashboard using Centrify Insight.

Centrify Health Overview

Centrify Health Overview gives you a central dashboard of all DirectControl agents, their status and relevant errors.

Wrapping up

Centrify Insight is available free of charge on Splunkbase. You can pick up Centrify Express here. Finally, support is available on the Centrify Insight Community, where you can exchange best practice advice with Centrify staff and other Centrify Insight users. Check it out!

< Previous Article: Centrify is re-certified by SAP and adds a second certification for Netweaver AS Java users
> Next Article: Centrify Now Supports Smart Card Authentication for Red Hat Linux