cancel
Showing results for 
Search instead for 
Did you mean: 

Alarm Email Contents

Hi all

Im trying to get an alarm from a correlation rule I made to give me information in an email. In the email template I dont see any options to tell me if a user was added or deleted. But in the Source Events tab it tells me. How can I get that information into the alarm email? See below

Source_Event.JPG

5 Replies
rth67
Level 12
Report Inappropriate Content
Message 2 of 6

Re: Alarm Email Contents

We created several Correlation rules to look for different things, User added to a privileged group, removed from a privileged group, etc.

These then are associated to an alarm, the "Rule Message" tells us whehter it was an Add or a Remove operation.

The body of the custom Alarm Template consist of the following:

[$REPEAT_START]
[$Rule Message]

Time : [$First Time]

Admin: [$%UserIDSrc]

User : [$%UserIDDst]

AD Group : [$%ObjectID]

Domain: [$%DomainID]

Signature ID: [$Signature ID]

[$REPEAT_END]

Message was edited by: rth67 on 2/3/14 9:39:48 AM CST

Re: Alarm Email Contents

Does your alarm give you the actual User information in the email?

I have that User : [$%UserIDDst] in the template and that field is always blank.

In your correlation rule do you have something that looks at just users?

rth67
Level 12
Report Inappropriate Content
Message 4 of 6

Re: Alarm Email Contents

Yes the alarm email we receive has both the user who made the change, and the user being changed.

The ACE Correlation Rule's which trigger the alarm look like this:

User Added to Privileged Group

Group By: Destination User

Filter Logic

     Signature ID (In) [43-263047280,43-263047320,43-263047560]

     ObjectID (In) [Privileged AD Groups] (This is a Watchlist - "object" that includes the Administrators, DnsAdmins, Domain Admins, Enterprise Admins, Schema Admins)

     Event Subtype (In) [success]

     UserIDSrc (Not In) [DOMAIN_CONTROLLERS_SOURCE_USER] (This is a watchlist of our DC's names with the $ on the end as the source user - to avoid replicated events)

The second correlation rule for "User Removed from Privileged Group" is basically the same, the only exception is the Signature ID's being monitored:

     Signature ID (In) [43-2630477290,43-263047330,43-263047570]

We are currently running version 9.3.1

dcobes
Level 9
Report Inappropriate Content
Message 5 of 6

Re: Alarm Email Contents

This is great info! I love when people will share alarm email templates and correlation rules.

One question for rth67, in your email template, what is the purpose of  [$REPEAT_START] and [$REPEAT_END] ? Does this essentially say add all details between start and stop for each event that triggers (if more than one event)?

-d

rth67
Level 12
Report Inappropriate Content
Message 6 of 6

Re: Alarm Email Contents

The "Repeat  Start" and "Repeat End" are to allow for multiple reults in one email.

Let's say your Alarm is set to only email once an hour but multiple events happen in that hour, the repeat function allows the details from all events to be placed in to the body of the email.