I m working on a rule where I have to monitor disabled or deleted domain accounts for activity such as Authentication . To build this corellation rule,I am planning to following steps:
1: Create a Corellation rule to match the signatureid for Account Deleted and Disabled.
2: Use the Dynamic Watchlist option (namely Disabled Users) to add the Dest User from the above signatures into the Dynamic Watchlist.
3: Create another rule to look for authentication activity where the Source user is in "Disabled Users".
Now the problem that I am facing is with the Dynamic Watchlist as I am unable to define the dynamic watchlist for "Disabled Users".
Is there any other way to achive the same ?
Haroot - did you try to do it in the following way?:
1. Create an Alarm for events from particular Signature ID (Disable or Delete User).
2. On the Actions tab - "Update Watchlist" > Manage.
3. And use "Append" action, as it was shown below:
In the same way you can remove the usernames when account will be created\enabled - of course if you know the Signature IDs for that events.
i had already tried the above steps. More details on where i am getting stuck :
1: When a user id is disabled in Windows AD,the same gets populated under Destination user and the Source user is the admin id which disbaled this User
2: Based upon the abive signature,I created a watchlist whcih populates the Destination user . As a result of this the Watchlist (DISABLED USER WATCHLIST)is getting populated
3: Now my Condition for trigerring an email alert is : If there is a Successful/Failed authentication event and the user is in DISABLED WATCHLIST trigger an alert.
the challenge here is that the DISABLED USER WATCHLIST is getting populated on Destination User Field and failed authentication event has the userid getting populated in the SOURCE USER filed and hence I cannot apply the DISABLED USER WATCHLIST ON this alert.
Can you share your solution. I have the same problem - for the same kind of use case - and I'm banging my head at present. This should be easy!
Maybe another way to do this is with data enrichment, if you are looking for events post disabling, you could do a lookup on AD for the source user, then add the disabled attribute as a data enrichment event for each event as it is added. From memory this is the 'useraccount control' attribute in AD. You could then easily create reports, rules etc based on this field.
You could also build dynamic watchlists based on this event, which would be useful for activity that may have occurred before the disabling, as opposed to the above where it would all be post disabling.
I have not tested this myself, but this would seem like an approach that would work.
I would love to see how this was accomplished. Im currently trying to setup something like this and am a relative noob when it comes to the SIEM.