Metric Name: Windows Workstation: Unauthorized AnyDesk Installation (Last 7 Days)
Category: Windows Workstation
Description: This metric identifies and reports recent installations of AnyDesk on Windows workstations that may not have been authorized. It details critical information including the account used for installation, installation date, and the version of AnyDesk installed. This information is vital for detecting unauthorized remote access setups and potential security breaches.
Purpose: Monitoring recent installations of remote access software like AnyDesk is crucial for detecting unauthorized access and preventing potential misuse of system settings, such as disabling antivirus products via BIOS modifications in Safe Mode. This metric aids IT security teams in promptly responding to and investigating such installations, thereby enhancing the security posture of the organization.
How It Works: The metric filters installation data to identify AnyDesk installations within the last 7 days. It displays relevant details such as the installer's account name, the installation date, and the version of AnyDesk. This allows for immediate security assessments and appropriate responses to unauthorized installations.
Beneficiaries: This metric is particularly beneficial for IT security and administrative teams tasked with maintaining the integrity of Windows Workstation environments. It supports compliance with security policies that mandate monitoring and addressing unauthorized software installations to thwart potential security threats.
Enhancing the "Windows Workstation: Unauthorized AnyDesk Installation (Last 7 Days)" Metric
Adjusting the Time Frame:
Current Setting: Last 7 days.
Modification: Option to adjust the monitoring period to more frequent checks (e.g., last 3 days) or extended periods (e.g., last 30 days).
Value: More frequent checks can provide quicker responses to unauthorized installations in high-security environments, whereas longer periods might be useful for trend analysis and monitoring in less critical settings.
Varying the Sensitivity for Alerts:
Current Setting: All AnyDesk installations within the timeframe.
Modification: Implement a whitelist feature to exclude authorized installations from triggering alerts.
Value: Reduces false positives by acknowledging routine, authorized installations, thereby focusing attention on truly suspicious activities.
Including Additional Contextual Data:
Current Setting: Account name, installation date, AnyDesk version.
Modification: Include additional data such as the network location, IP address from which the installation was made, and whether the installed version has known vulnerabilities.
Value: Enhances understanding of the context surrounding each installation, improving the ability to assess the risk and respond more effectively to potential threats.
Huge thanks for Anthony C. for this idea!