6 Replies Latest reply on Jan 19, 2017 1:25 PM by tallmega

    Data Enrichment and Custom Types

    tallmega

      Hello all,

       

      I'm fairly new at this, but I've been trying to create a correlation rule that alerts when a user is added to the local administrators group on Windows machines.

       

      This works, my rule looks for 'A member was added to a security-enabled local group' (43-263047320), among a few others. 

       

      Unfortunately, Microsoft sends only the SIDs, and relies on the viewing client to determine who added who to what group.  ESM will resolve the SID of the user doing the adding, and the group being added to, but not the user that got added!  This just comes in as a custom type called 'Security_ID' and gives me a SID.  See the attached screenshot.

       

      I've been experimenting with Data Enrichment through either ldap or SQL.  Using LDAP trying to query 'ObjectSID' produces an error.   I've been able to successfully query the Object SID (and resolve SAMAccountName) in my IAM SQL database, but in Destination I am unable to select Security_ID (or any custom type) as a lookup field, no matter which data source i select!   It is available in the Custom Types menu, but it's not editable.

       

      How are others doing this?

       

      Thanks,

       

      Kevin

        • 1. Re: Data Enrichment and Custom Types
          sssyyy

          Really? the event should contain both source user (actioned by) and destination user (added user). Correlation rule should just be Signature ID, and object = the security group name which you are interested in.

          • 2. Re: Data Enrichment and Custom Types
            acommons

            Try this:

             

            (1) Make the Custom Type a String

            (2) Assign it to Custom Field 9 or 10 to keep it out of the way of other user related fields.

            • 3. Re: Data Enrichment and Custom Types
              xded

              there is Blog entry fro Dataenrichment in this community. --> SIEM Foundations: Implement Enrichment to Pull in Full User Name From AD

              You can use this to enrich you SIEM from SID to Username.

              But sssyyy is right there is a configuration in your Group policy in the Windows Domain to extend this log

              • 4. Re: Data Enrichment and Custom Types
                tallmega

                Hi all, thanks for the replies.

                 

                To clarify, the packet captured by Signature 43-263047320 (A member was added to a security-enabled local group) only contains the following data:

                 

                192.168.1.100||Security||91729680||Microsoft-Windows-Security-Auditing||4732||61 ||1483539975||4||SERVER1.DOMAIN.COM||||Security Group Management||10||-||S-1-5-20||IIS_IUSRS||Builtin||S-1-5-32-568||S-1-5-21-4195886 749-1299131234-950276898-294751||KevinM||DOMAIN||0xafe95984||-||A member was added to a security-enabled local group.

                 

                Subject:

                  Security ID: S-1-5-21-4195886749-1299131234-950276898-294751

                  Account Name: KevinM

                  Account Domain: DOMAIN

                  Logon ID: 0xafe95984

                Member:

                  Security ID: S-1-5-20

                  Account Name: -

                Group:

                  Security ID: S-1-5-32-568

                  Group Name: IIS_IUSRS

                  Group Domain: Builtin

                Additional Information:

                  Privileges: -

                 

                As you can see, the Account Name is blank, and that's the member that KevinM added to the IIS_Users group.  If there's a setting to include this data that would be great but I am unaware of it.  (I obviously changed the sensitive data).

                As far as following that article for data enrichment, I'm having data type issues working with the SID to do that.  It doesn't seem to be possible.

                • 5. Re: Data Enrichment and Custom Types
                  xded
                  1 of 1 people found this helpful
                  • 6. Re: Data Enrichment and Custom Types
                    tallmega

                    Good find xded!  According to that article:

                     

                    Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

                     

                    That's what's happening with me.  When one of my sneaky server admins decides to take the easy way out and add a service account to Administrators, I want to know who got added!  It looks like the information doesn't exist, no one else has this issue?

                    1 of 1 people found this helpful