cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Set correlation alert - on sequence

Jump to solution

Trying to create an alert which will trigger when following happens in sequence; for active directory events.

  1. User account ABC was given administrative privileges
  2. User account ABC changed configuration/policy
  3. Administrative privileges of ABC removed

Kind of an alert which is useful to detect internal threats. Anyone tried similar logic in Nitro? I am trying to do this with set condition with sequence. But till now no positive results.

Any inputs will be appreciated.

Regards,

Abhishek B

1 Solution

Accepted Solutions
rgarrett
Level 9
Report Inappropriate Content
Message 2 of 2

Re: Set correlation alert - on sequence

Jump to solution

If you have access to the content packs, there is a domain policy view and correlation rules.

You can modify the correlation rule to include a sequence, looking for first user added to security-enabled group, followed by user removed from security-enabled group

sequence.png

If you co not have access, or have an earlier version of SIEM, you can use these signatures in a similar way

these signature show members added to security groups- (Windows 2008)

4756 member added to security enabled universal group 43-263047560

4732 member added to security enabled local group 43-263047320

4728 member added to security enabled global group 43-263047280

then you can get the signatures for removal from a group

43-263047290

43-211006330

43-211006610

43-263047570

and create the same sequence

Note that the correlation rule references the object - Domain Policy - Security Groups, which is a watchlist. You may need to add to that list. 

As for the second part - User account changed policy-

To my undrstanding, the Windows Event ID that shows this only shows the computer, not the user.

View solution in original post

1 Reply
rgarrett
Level 9
Report Inappropriate Content
Message 2 of 2

Re: Set correlation alert - on sequence

Jump to solution

If you have access to the content packs, there is a domain policy view and correlation rules.

You can modify the correlation rule to include a sequence, looking for first user added to security-enabled group, followed by user removed from security-enabled group

sequence.png

If you co not have access, or have an earlier version of SIEM, you can use these signatures in a similar way

these signature show members added to security groups- (Windows 2008)

4756 member added to security enabled universal group 43-263047560

4732 member added to security enabled local group 43-263047320

4728 member added to security enabled global group 43-263047280

then you can get the signatures for removal from a group

43-263047290

43-211006330

43-211006610

43-263047570

and create the same sequence

Note that the correlation rule references the object - Domain Policy - Security Groups, which is a watchlist. You may need to add to that list. 

As for the second part - User account changed policy-

To my undrstanding, the Windows Event ID that shows this only shows the computer, not the user.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community