5 Replies Latest reply on Oct 20, 2015 10:54 AM by rgarrett

    rule/watchlist with log not received condition

    sulikoakhvlediani

      Hello,

      I want write a rule or watchlist, example:

      if user password change(43-263047230) not occur in 30 days time window.

      Please write if anybody knows anything

      Thanks.

        • 1. Re: rule/watchlist with log not received condition
          arindamsur

          Hi,

           

          The logic should not be difficult. You can use AND operator with its components in sequence. The first component being the signature id 43-263047230 and the second component being the same, but with a negation. You should change the time window of parent AND to 30 days. But as of now (as far as I am aware) the maximum time window supported in a correlation rule is of 168 hours i.e. 7 days. Hence, I am not sure on how to specify the time window as 30 days.

           

          rule.JPG

          • 2. Re: rule/watchlist with log not received condition
            sulikoakhvlediani

            Thanks, yes the problem is in limited time windows

            • 3. Re: rule/watchlist with log not received condition
              rgarrett

              You can use the PwdLastSet attribute in Windows AD, but that requires a conversion from Microsoft time to current time. You run into significant memory issues when you set a correlation time parameter to the max, as it must keep that in memory.

               

              You could create a watchlist based on the signature, keeping track of the user. I would try setting the expration on the watchlist to 30 days.  If the password expiration is set to 30 days, and the user changes his password, the list should contain all users who regularly change their password within the time frame.  A query showing users not in that list should give those who have not changed their password.  I can't guarantee that; I haven't tried it.

               

              Better question is: are you looking for accounts that have a password that doesn't expire? That is much easier to do.

              • 4. Re: rule/watchlist with log not received condition
                raouf

                Hi rgarett,   can you expand on how you'd go about gathering a list of accounts with pswd that do not expire?

                 

                thanks,

                • 5. Re: rule/watchlist with log not received condition
                  rgarrett

                  The query you want to run is: (&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))

                   

                  &(  = you need this because you are looking for users AND specific values

                  objectCategory=User  = we limit the query to only users

                   

                  (userAccountControl:1.2.840.113556.1.4.803:=65536) = return only the user account control flag is on for 65536. 


                  This will give you an AD list of all users with passwords that don't expire.


                  Create a dynamic watchlist, and use LDAP. Use the IP of the domain controller, and a user that can read the tree


                  2015-10-20_0847.png

                   

                  Add the LDAP query, test and save


                  2015-10-20_0850.png