I am looking for some help on how we can utilize our McAfee SIEM to report on local account usage on the network.
We were thinking that we can look at successful account logins (Windows Security Event 4624) and compare the Domain and Host fields and if they match give us the source user. Unfortunately using correlations rules is not an option as we cannot use an "equals" string query with the domain or host field in the ACE. We don't want to rely on static watchlists that says if these 10 local accounts are used alert the team. We want the rule to be dynamic that if someone were to create a net new local admin, use that account to do tasks A, B and C then delete that local account. Using a static watchlist will not catch events such as a newly created local admin.
Is anyone successfully using the SIEM to monitor local account logins on the network and if so any help would be appreciated.
Go for a static watchlist which will contain all your "Domain" field information you are not interested to see (eg. internal domains) so that you're left with only local usage and then inside your correlation component use Domain not in "Your_Static_Watchlist".
When creating the correlation rule use "Group by: Host and Source User".
Please tell us how it goes.