3 Replies Latest reply on Jan 23, 2017 9:23 AM by zakhter

    Asset sources

    curesec

      I am trying to determine a way to acquire an accurate and complete list of members for specific Universal groups in our AD forest.  We have our root level search base specified on our ESM in the Asset Manager > Asset Sources section. (for example DC=root,DC=level,DC=com).  According to the documentation the ESM can only have one occurrence of these while a receiver can have additional AD connectors specified.  This appears to limit what the SIEM can see when monitoring groups and its members.

      AssetSources.jpg

       

      When writing queries to populate a watchlist it will only see the accounts that are part of the root-level domain which excludes a number of other accounts that may reside in subdomains of the root level (for example DC=sub,DC=root,DC=level,DC=com).  I can duplicate the results I see in the SIEM by using ADUC and running the same custom query but specifying only the root-level domain in the "In:" field.  On the other hand, if I switch the "In:" field to "Entire Directory" I get the complete list I am expecting to see.

       

      CustomQuery.jpg

       

      My question is how are others obtaining a complete list of the user accounts in such groups as the Enterprise Admins?  I'd like to monitor this group for any accounts being added or subtracted as well as alerting on activity of the accounts contained within.  Also, how are people monitoring Domain Admins since it is a "Global" group which the SIEM cannot see?

       

      TIA

        • 1. Re: Asset sources
          ksudki

          Hello,

           

          To quickly monitor the actions made by the members of the Domain Admins, you can create a dynamic watchlist with similar filter :

           

          (&(objectCategory=user)(memberOf=CN=Domain Admins,CN=OU,DC=domain,DC=local))

           

          I think you might be able to use the Windows Advanced Audit Policy Configuration/Account Management on your domain controllers to monitor what modifications have been made on your groups.

           

          Also create a Correlation Rule to trigger whenever someone is doing modification on the monitored groups.

           

          Let me know what you think about this.

           

          Regards

          • 2. Re: Asset sources
            curesec

            It appears I have solved my own issue.  It was due to an oversight in forgetting to include port 3268 for GC querying.  By specifying <IP of global catalog server>:3268 on the Sources tab for an LDAP query in a watchlist I can now crawl all domains. 

             

            Hope this helps anyone else that may have been stuck.

            • 3. Re: Asset sources
              zakhter

              HI,

              I am running the same query but not accomplishing the task. The server IP is configured in the Watchlist.  Where did you place the global catalog server and port?

               

              Regards,