cancel
Showing results for 
Search instead for 
Did you mean: 
haroot
Level 9

Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi,

I m working on a rule where I have to monitor disabled or deleted domain accounts for activity such as Authentication . To build this corellation rule,I am planning to following steps:

1: Create a Corellation rule to match the signatureid for Account Deleted and Disabled.

2: Use the Dynamic Watchlist option (namely Disabled Users) to add the Dest User from the above signatures into the Dynamic Watchlist.

3: Create another rule to look for authentication activity where the Source user is in  "Disabled Users".

Now the problem that I am facing is with the Dynamic Watchlist as I am unable to define the dynamic watchlist for "Disabled Users".

Is there any other way to achive the same ?

Haroot

0 Kudos
6 Replies
artek
Level 11

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Haroot - did you try to do it in the following way?:

1. Create an Alarm for events from particular Signature ID (Disable or Delete User).

2. On the Actions tab - "Update Watchlist" > Manage.

3. And use "Append" action, as it was shown below:

ESM22.PNG

In the same way you can remove the usernames when account will be created\enabled - of course if you know the Signature IDs for that events.

Regards,

Artur Sadownik

0 Kudos
haroot
Level 9

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi Artur,

i had already tried the above steps. More details on where i am getting stuck :

1: When a user id is disabled in Windows AD,the same gets populated under Destination user and the Source user is the admin id which disbaled this User

2: Based upon the abive signature,I created a watchlist whcih populates the Destination user . As a result of this the Watchlist (DISABLED USER WATCHLIST)is getting populated

3: Now my Condition for trigerring an email alert is : If there is a Successful/Failed authentication event and the user is in DISABLED WATCHLIST trigger an alert.

          the challenge here is that the DISABLED USER WATCHLIST is getting populated on Destination User Field and failed authentication event has the userid getting populated in the SOURCE USER filed and hence I cannot apply the DISABLED USER WATCHLIST ON this alert.

Haroot

0 Kudos
haroot
Level 9

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi Arthur,

i was able to configure the Rule.

haroot

0 Kudos
acommons
Level 10

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi Haroot,

Can you share your solution. I have the same problem - for the same kind of use case - and I'm banging my head at present. This should be easy!

cheers,

Andrew

0 Kudos
mhooper1
Level 8

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

Hi,

Maybe another way to do this is with data enrichment, if you are looking for events post disabling, you could do a lookup on AD for the source user, then add the disabled attribute as a data enrichment event for each event as it is added. From memory this is the 'useraccount control' attribute in AD. You could then easily create reports, rules etc based on this field.

You could also build dynamic watchlists based on this event, which would be useful for activity that may have occurred before the disabling, as opposed to the above where it would all be post disabling.

I have not tested this myself, but this would seem like an approach that would work.

regards

Mason

0 Kudos
mrenfrow
Level 7

Re: Rule for monitoring Disabled/Deleted Users for Suspicious Activity

I would love to see how this was accomplished.  Im currently trying to setup something like this and am a relative noob when it comes to the SIEM.