cancel
Showing results for 
Search instead for 
Did you mean: 

Data Enrichment and Custom Types

Hello all,

I'm fairly new at this, but I've been trying to create a correlation rule that alerts when a user is added to the local administrators group on Windows machines.

This works, my rule looks for 'A member was added to a security-enabled local group' (43-263047320), among a few others. 

Unfortunately, Microsoft sends only the SIDs, and relies on the viewing client to determine who added who to what group.  ESM will resolve the SID of the user doing the adding, and the group being added to, but not the user that got added!  This just comes in as a custom type called 'Security_ID' and gives me a SID.  See the attached screenshot.

I've been experimenting with Data Enrichment through either ldap or SQL.  Using LDAP trying to query 'ObjectSID' produces an error.   I've been able to successfully query the Object SID (and resolve SAMAccountName) in my IAM SQL database, but in Destination I am unable to select Security_ID (or any custom type) as a lookup field, no matter which data source i select!   It is available in the Custom Types menu, but it's not editable.

How are others doing this?

Thanks,

Kevin

7 Replies
Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: Data Enrichment and Custom Types

Really? the event should contain both source user (actioned by) and destination user (added user). Correlation rule should just be Signature ID, and object = the security group name which you are interested in.

Re: Data Enrichment and Custom Types

Try this:

(1) Make the Custom Type a String

(2) Assign it to Custom Field 9 or 10 to keep it out of the way of other user related fields.

xded
Level 12
Report Inappropriate Content
Message 4 of 8

Re: Data Enrichment and Custom Types

there is Blog entry fro Dataenrichment in this community. -->

You can use this to enrich you SIEM from SID to Username.

But sssyyy is right there is a configuration in your Group policy in the Windows Domain to extend this log

Re: Data Enrichment and Custom Types

Hi all, thanks for the replies.

To clarify, the packet captured by Signature 43-263047320 (A member was added to a security-enabled local group) only contains the following data:

192.168.1.100||Security||91729680||Microsoft-Windows-Security-Auditing||4732||61||1483539975||4||SERVER1.DOMAIN.COM||||Security Group Management||10||-||S-1-5-20||IIS_IUSRS||Builtin||S-1-5-32-568||S-1-5-21-4195886749-1299131234-950276898-294751||KevinM||DOMAIN||0xafe95984||-||A member was added to a security-enabled local group.

Subject:

  Security ID: S-1-5-21-4195886749-1299131234-950276898-294751

  Account Name: KevinM

  Account Domain: DOMAIN

  Logon ID: 0xafe95984

Member:

  Security ID: S-1-5-20

  Account Name: -

Group:

  Security ID: S-1-5-32-568

  Group Name: IIS_IUSRS

  Group Domain: Builtin

Additional Information:

  Privileges: -

As you can see, the Account Name is blank, and that's the member that KevinM added to the IIS_Users group.  If there's a setting to include this data that would be great but I am unaware of it.  (I obviously changed the sensitive data).

As far as following that article for data enrichment, I'm having data type issues working with the SID to do that.  It doesn't seem to be possible.

Highlighted
xded
Level 12
Report Inappropriate Content
Message 6 of 8

Re: Data Enrichment and Custom Types

Re: Data Enrichment and Custom Types

Good find xded!  According to that article:

Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

That's what's happening with me.  When one of my sneaky server admins decides to take the easy way out and add a service account to Administrators, I want to know who got added!  It looks like the information doesn't exist, no one else has this issue?

Re: Data Enrichment and Custom Types

Hello,

Did anyone ever come up with a way to handle this issue?  I'm trying to do the same thing (indeed, I want the alert for a user being added to any group, not just Domain Admins.)

Best regards,

- Steve

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community