Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.


🥴 See something off? Open a support chat to let us know.

Add a new Metric entry Subscribe
Categories Windows Workstation
Created by Lamont Largie
Created on Jun 7, 2024

RELATED METRIC

Windows Workstation: Unauthorized AnyDesk Installation (Last 7 Days)

Metric Name: Windows Workstation: Unauthorized AnyDesk Installation (Last 7 Days)


Category: Windows Workstation


Description: This metric identifies and reports recent installations of AnyDesk on Windows workstations that may not have been authorized. It details critical information including the account used for installation, installation date, and the version of AnyDesk installed. This information is vital for detecting unauthorized remote access setups and potential security breaches.


Purpose: Monitoring recent installations of remote access software like AnyDesk is crucial for detecting unauthorized access and preventing potential misuse of system settings, such as disabling antivirus products via BIOS modifications in Safe Mode. This metric aids IT security teams in promptly responding to and investigating such installations, thereby enhancing the security posture of the organization.


How It Works: The metric filters installation data to identify AnyDesk installations within the last 7 days. It displays relevant details such as the installer's account name, the installation date, and the version of AnyDesk. This allows for immediate security assessments and appropriate responses to unauthorized installations.


Beneficiaries: This metric is particularly beneficial for IT security and administrative teams tasked with maintaining the integrity of Windows Workstation environments. It supports compliance with security policies that mandate monitoring and addressing unauthorized software installations to thwart potential security threats.


Enhancing the "Windows Workstation: Unauthorized AnyDesk Installation (Last 7 Days)" Metric


Adjusting the Time Frame:


Current Setting: Last 7 days.

Modification: Option to adjust the monitoring period to more frequent checks (e.g., last 3 days) or extended periods (e.g., last 30 days).

Value: More frequent checks can provide quicker responses to unauthorized installations in high-security environments, whereas longer periods might be useful for trend analysis and monitoring in less critical settings.

Varying the Sensitivity for Alerts:


Current Setting: All AnyDesk installations within the timeframe.

Modification: Implement a whitelist feature to exclude authorized installations from triggering alerts.

Value: Reduces false positives by acknowledging routine, authorized installations, thereby focusing attention on truly suspicious activities.

Including Additional Contextual Data:


Current Setting: Account name, installation date, AnyDesk version.

Modification: Include additional data such as the network location, IP address from which the installation was made, and whether the installed version has known vulnerabilities.

Value: Enhances understanding of the context surrounding each installation, improving the ability to assess the risk and respond more effectively to potential threats.

Huge thanks for Anthony C. for this idea!

Query

Software[?contains(Name, 'Any') && DaysSinceInstall <'7'].[['--'],['Name:'Name], ['Installed On:'InstallDate], ['Version:'DisplayVersion]][]
  • Attach files