1 Reply Latest reply on Jan 5, 2016 12:26 PM by rgarrett

    Set correlation alert - on sequence


      Scott Taschler



      Trying to create an alert which will trigger when following happens in sequence; for active directory events.


      1. User account ABC was given administrative privileges
      2. User account ABC changed configuration/policy
      3. Administrative privileges of ABC removed


      Kind of an alert which is useful to detect internal threats. Anyone tried similar logic in Nitro? I am trying to do this with set condition with sequence. But till now no positive results.


      Any inputs will be appreciated.



      Abhishek B

        • 1. Re: Set correlation alert - on sequence

          If you have access to the content packs, there is a domain policy view and correlation rules.

          You can modify the correlation rule to include a sequence, looking for first user added to security-enabled group, followed by user removed from security-enabled group



          If you co not have access, or have an earlier version of SIEM, you can use these signatures in a similar way


          these signature show members added to security groups- (Windows 2008)


          4756 member added to security enabled universal group 43-263047560

          4732 member added to security enabled local group 43-263047320

          4728 member added to security enabled global group 43-263047280


          then you can get the signatures for removal from a group






          and create the same sequence


          Note that the correlation rule references the object - Domain Policy - Security Groups, which is a watchlist. You may need to add to that list. 


          As for the second part - User account changed policy-


          To my undrstanding, the Windows Event ID that shows this only shows the computer, not the user.