Here's how I'd try to do it.
- Create your Watchlist, specifying the Dynamic option. Leave the other options on the Main tab at their default settings. Collect your user names via LDAP, as you'd been doing.
- Once your Usernames watchlist is populated--change it from Dynamic to Static.
- Create an Alarm.
- Set the Condition to Field Match, and add Signature ID as a Filter Field. Add the value for the signature ID corresponding to Windows Security Event 4728: A member was added to a security-enabled global group.
- Using the AND logical operator, add Object* as a Filter Field, specifying either a single security-enabled group name or, using a Watchlist, several security groups you'd like to monitor for new usernames. *(Object happens to be the field into which security group names get parsed from Windows Event Logs in my ESM. This might not be the case for you.)
- Under the Actions tab, select Update Watchlist as the only action. Select Append as the Action, Destination User as Field, and your Usernames watchlist.
Hope this helps. I think it'll work, but feel free to tell me if I'm way off-base here.
that was a really good suggestion I must say.
It won't work tho in my scenario(I didn't mention this so you had no clue about it, sorry about that) but this is the whole scenario:
LDAP query collecting Name value(CN) for all users starting, for instance, with "123".
I will use this list to monitor when these user is getting added to a group, for instance, Windows Security Event 4728: A member was added to a security-enabled global group
.The problem with this event is that Destination User field is populated with the CN value. This makes it impossible to know if the user start with 123 or anything else. Since I only wanna monitor the users starting with 123 I need to run the LDAP query to collect the CN value for correlation between the AD event and Watchlist.
Join the club of putting in a PER to have McAfee create a generic "User" field similar to the "IP Address" field (which can be used for either Source or Destination IP).
The more of us that request this enhancement, the more likely they are to add it in a future release.
A generic User field in Watchlists? I will get behind that and create a PER for that, cause that is very annoying.
Another thing that needs to be done, is they need to allow an option for Case Insensitive in an ACE Correlation Rule for things like User Names.
This also needs to be applied to when creating Alarms based on watchlists. Very annoying.