We created several Correlation rules to look for different things, User added to a privileged group, removed from a privileged group, etc.
These then are associated to an alarm, the "Rule Message" tells us whehter it was an Add or a Remove operation.
The body of the custom Alarm Template consist of the following:
Time : [$First Time]
User : [$%UserIDDst]
AD Group : [$%ObjectID]
Signature ID: [$Signature ID]
Does your alarm give you the actual User information in the email?
I have that User : [$%UserIDDst] in the template and that field is always blank.
In your correlation rule do you have something that looks at just users?
Yes the alarm email we receive has both the user who made the change, and the user being changed.
The ACE Correlation Rule's which trigger the alarm look like this:
User Added to Privileged Group
Group By: Destination User
Signature ID (In) [43-263047280,43-263047320,43-263047560]
ObjectID (In) [Privileged AD Groups] (This is a Watchlist - "object" that includes the Administrators, DnsAdmins, Domain Admins, Enterprise Admins, Schema Admins)
Event Subtype (In) [success]
UserIDSrc (Not In) [DOMAIN_CONTROLLERS_SOURCE_USER] (This is a watchlist of our DC's names with the $ on the end as the source user - to avoid replicated events)
The second correlation rule for "User Removed from Privileged Group" is basically the same, the only exception is the Signature ID's being monitored:
Signature ID (In) [43-2630477290,43-263047330,43-263047570]
We are currently running version 9.3.1
This is great info! I love when people will share alarm email templates and correlation rules.
One question for rth67, in your email template, what is the purpose of [$REPEAT_START] and [$REPEAT_END] ? Does this essentially say add all details between start and stop for each event that triggers (if more than one event)?
The "Repeat Start" and "Repeat End" are to allow for multiple reults in one email.
Let's say your Alarm is set to only email once an hour but multiple events happen in that hour, the repeat function allows the details from all events to be placed in to the body of the email.