cancel
Showing results for 
Search instead for 
Did you mean: 
haroot
Level 9
Report Inappropriate Content
Message 1 of 8

Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi,

I m working on a rule where I have to monitor disabled or deleted domain accounts for activity such as Authentication . To build this corellation rule,I am planning to following steps:

1: Create a Corellation rule to match the signatureid for Account Deleted and Disabled.

2: Use the Dynamic Watchlist option (namely Disabled Users) to add the Dest User from the above signatures into the Dynamic Watchlist.

3: Create another rule to look for authentication activity where the Source user is in  "Disabled Users".

Now the problem that I am facing is with the Dynamic Watchlist as I am unable to define the dynamic watchlist for "Disabled Users".

Is there any other way to achive the same ?

Haroot

7 Replies
artek
Level 11
Report Inappropriate Content
Message 2 of 8

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Haroot - did you try to do it in the following way?:

1. Create an Alarm for events from particular Signature ID (Disable or Delete User).

2. On the Actions tab - "Update Watchlist" > Manage.

3. And use "Append" action, as it was shown below:

ESM22.PNG

In the same way you can remove the usernames when account will be created\enabled - of course if you know the Signature IDs for that events.

Regards,

Artur Sadownik

haroot
Level 9
Report Inappropriate Content
Message 3 of 8

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi Artur,

i had already tried the above steps. More details on where i am getting stuck :

1: When a user id is disabled in Windows AD,the same gets populated under Destination user and the Source user is the admin id which disbaled this User

2: Based upon the abive signature,I created a watchlist whcih populates the Destination user . As a result of this the Watchlist (DISABLED USER WATCHLIST)is getting populated

3: Now my Condition for trigerring an email alert is : If there is a Successful/Failed authentication event and the user is in DISABLED WATCHLIST trigger an alert.

          the challenge here is that the DISABLED USER WATCHLIST is getting populated on Destination User Field and failed authentication event has the userid getting populated in the SOURCE USER filed and hence I cannot apply the DISABLED USER WATCHLIST ON this alert.

Haroot

haroot
Level 9
Report Inappropriate Content
Message 4 of 8

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi Arthur,

i was able to configure the Rule.

haroot

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi Haroot,

Can you share your solution. I have the same problem - for the same kind of use case - and I'm banging my head at present. This should be easy!

cheers,

Andrew

Shaf
Level 7
Report Inappropriate Content
Message 6 of 8

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Please share how toconfigure the monitoring for disabled users

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi,

Maybe another way to do this is with data enrichment, if you are looking for events post disabling, you could do a lookup on AD for the source user, then add the disabled attribute as a data enrichment event for each event as it is added. From memory this is the 'useraccount control' attribute in AD. You could then easily create reports, rules etc based on this field.

You could also build dynamic watchlists based on this event, which would be useful for activity that may have occurred before the disabling, as opposed to the above where it would all be post disabling.

I have not tested this myself, but this would seem like an approach that would work.

regards

Mason

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

I would love to see how this was accomplished.  Im currently trying to setup something like this and am a relative noob when it comes to the SIEM.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community