4 Replies Latest reply on Dec 5, 2013 7:52 AM by docdriza

    Reporting/Alerting on an Event ID

    docdriza

      I am trying to create an alarm that will trigger when a user is added to the Domain or Enterprise Administrators group. After some research I found what the event ID's are, but I am not sure how to get the SIEM to alert on them. Can anyone help?

        • 1. Re: Reporting/Alerting on an Event ID
          rth67

          There are several steps to doing this, ours is setup to monitor for the 2 you listed plus several others (Schema and DNS Admins as well as "Administrators")

          You will need to build several Watchlists, 1 or 2 Correlation Rules, an Alarm, and possibly an Alarm Template

           

          Watchlists needed:

          Privileged AD Groups - Type "Object"

          Administrators

          DnsAdmins

          Domain Admins

          Enterprise Admins

          Schema Admins

          administrators

          dnsadmins

          domain admins

          enterprise admins

          schema admins

           

          Domain_Controller_Source_User - Type "Source User"

          List of your Domain Controllers with $ after the server name (generally in all CAPS)

           

          Next build your Correlation Rule(s): (We use 2)

          Rule Name - User added to privileged group

          Signature ID's (In) 43-263047280,43-263047320,43-263047560

          Object (In) "Privileged AD Groups" (Watchlist)

          Event Subtype (In) success

          Source User (Not In) Domain_Controller_Source_User (Watchlist)

           

          Rule Name - User removed from privileged group

          Signature ID's (In) 43-263047290,43-263047330,43-263047570

          Object (In) "Privileged AD Groups" (Watchlist)

          Event Subtype (In) success

          Source User (Not In) Domain_Controller_Source_User (Watchlist)

           

          Next create your Alarm (and Alarm Template)

          Name your Alarm

          Condition = Field Match

          Field = Signature ID (List your Correlation Rule Signature ID's - each Correlation Rule gets it's own Signature ID)

          Max Trigger Frequency - 1 minute

          Send Message - who you want to email

          Message (Configure) - custom Alarm Template to show the details you want

           

          Alarm Template

          (Custom Name)

          Subject: Alert - [$Rule Message]

          (Message Body)

          [$REPEAT_START]

          [$Rule Message]

          Time : [$First Time]

          Admin: [$%UserIDSrc]

          User : [$%UserIDDst]

          AD Group : [$%ObjectID]

          Domain: [$%DomainID]

          Signature ID: [$Signature ID]

          [$REPEAT_END]

           

          This will show me Was a user added or removed (based on which Correlation Rule fired), Who changed the group, and who was added or removed, from which domain, and at what time.

           

          Message was edited by: rth67 on 12/4/13 11:18:56 AM CST
          1 of 1 people found this helpful
          • 2. Re: Reporting/Alerting on an Event ID
            docdriza

            How would you create a reports for this. My Manager would like to get an idea of how many users were created and removed from AD. What you have suggested for alarms will help with what he wants. I would like to olny alert on users being added to the Domain/Enterprise Admins, Which seams easy from what you have shown me here. I really appreciate the time you put in this example. Also, I would like to know where you find out what all the Signature ID's to alert on are.

             

            Thanks

            Doc

             

            Message was edited by: docdriza on 12/4/13 2:44:59 PM CST
            • 3. Re: Reporting/Alerting on an Event ID
              rth67

              When you say which Signature ID's to Alert On, that is a wide topic... If you are talking about the information I provided above, each Correlation Rule gets a unique '47-xxxxx' Signature ID (from an ACE).

               

              If you are referring generally to any and all Data Sources, that is a whole other discussion. Luckily, some of my co-workers created a spreadsheet for all of the Windows Access, Application, and Authentication Events prior to me coming to work here. This spreadsheet was used to analyze the Windows events and modify the aggregation settings and also to determine which events we wanted to disable aggregation on for better visibility. By default, many Signatures are aggregated by Source IP and Destination IP which gives no value in some cases.

               

              For example:
              Signature ID: 43-263047280
              Rule Name: A member was added to a security-enabled global group
              Aggregation Setting Exception: Signature ID, Destination User, Object

               

              Determining which Signature ID's to alert on is up to each company, what they feel is important. It will take some review for each data source type, there are some "Best Practices" that might be found on the McAfee site, or from VAR's if you engage their Professional Services.

              • 4. Re: Reporting/Alerting on an Event ID
                docdriza

                Thanks for that. How would I create a report based on the example you gave me in your first post?