1 Reply Latest reply on Jan 5, 2016 12:26 PM by rgarrett

    Set correlation alert - on sequence

    abhattacharjee

      Scott Taschler

      leland.michael

       

      Trying to create an alert which will trigger when following happens in sequence; for active directory events.

       

      1. User account ABC was given administrative privileges
      2. User account ABC changed configuration/policy
      3. Administrative privileges of ABC removed

       

      Kind of an alert which is useful to detect internal threats. Anyone tried similar logic in Nitro? I am trying to do this with set condition with sequence. But till now no positive results.

       

      Any inputs will be appreciated.

       

      Regards,

      Abhishek B

        • 1. Re: Set correlation alert - on sequence
          rgarrett

          If you have access to the content packs, there is a domain policy view and correlation rules.

          You can modify the correlation rule to include a sequence, looking for first user added to security-enabled group, followed by user removed from security-enabled group

           

          sequence.png

          If you co not have access, or have an earlier version of SIEM, you can use these signatures in a similar way

           

          these signature show members added to security groups- (Windows 2008)

           

          4756 member added to security enabled universal group 43-263047560

          4732 member added to security enabled local group 43-263047320

          4728 member added to security enabled global group 43-263047280

           

          then you can get the signatures for removal from a group

           

          43-263047290

          43-211006330

          43-211006610

          43-263047570

          and create the same sequence

           

          Note that the correlation rule references the object - Domain Policy - Security Groups, which is a watchlist. You may need to add to that list. 

           

          As for the second part - User account changed policy-

           

          To my undrstanding, the Windows Event ID that shows this only shows the computer, not the user.