6 Replies Latest reply on Feb 15, 2017 2:22 PM by mrenfrow

    Rule for monitoring Disabled/Deleted  Users for Suspicious Activity



      I m working on a rule where I have to monitor disabled or deleted domain accounts for activity such as Authentication . To build this corellation rule,I am planning to following steps:


      1: Create a Corellation rule to match the signatureid for Account Deleted and Disabled.

      2: Use the Dynamic Watchlist option (namely Disabled Users) to add the Dest User from the above signatures into the Dynamic Watchlist.

      3: Create another rule to look for authentication activity where the Source user is in  "Disabled Users".


      Now the problem that I am facing is with the Dynamic Watchlist as I am unable to define the dynamic watchlist for "Disabled Users".


      Is there any other way to achive the same ?