6 Replies Latest reply on Feb 15, 2017 2:22 PM by mrenfrow

    Rule for monitoring Disabled/Deleted  Users for Suspicious Activity

      Hi,

       

      I m working on a rule where I have to monitor disabled or deleted domain accounts for activity such as Authentication . To build this corellation rule,I am planning to following steps:

       

      1: Create a Corellation rule to match the signatureid for Account Deleted and Disabled.

      2: Use the Dynamic Watchlist option (namely Disabled Users) to add the Dest User from the above signatures into the Dynamic Watchlist.

      3: Create another rule to look for authentication activity where the Source user is in  "Disabled Users".

       

      Now the problem that I am facing is with the Dynamic Watchlist as I am unable to define the dynamic watchlist for "Disabled Users".

       

      Is there any other way to achive the same ?

       

       

      Haroot