Really? the event should contain both source user (actioned by) and destination user (added user). Correlation rule should just be Signature ID, and object = the security group name which you are interested in.
(1) Make the Custom Type a String
(2) Assign it to Custom Field 9 or 10 to keep it out of the way of other user related fields.
there is Blog entry fro Dataenrichment in this community. --> SIEM Foundations: Implement Enrichment to Pull in Full User Name From AD
You can use this to enrich you SIEM from SID to Username.
But sssyyy is right there is a configuration in your Group policy in the Windows Domain to extend this log
Hi all, thanks for the replies.
To clarify, the packet captured by Signature 43-263047320 (A member was added to a security-enabled local group) only contains the following data:
192.168.1.100||Security||91729680||Microsoft-Windows-Security-Auditing||4732||61 ||1483539975||4||SERVER1.DOMAIN.COM||||Security Group Management||10||-||S-1-5-20||IIS_IUSRS||Builtin||S-1-5-32-568||S-1-5-21-4195886 749-1299131234-950276898-294751||KevinM||DOMAIN||0xafe95984||-||A member was added to a security-enabled local group.
Security ID: S-1-5-21-4195886749-1299131234-950276898-294751
Account Name: KevinM
Account Domain: DOMAIN
Logon ID: 0xafe95984
Security ID: S-1-5-20
Account Name: -
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
As you can see, the Account Name is blank, and that's the member that KevinM added to the IIS_Users group. If there's a setting to include this data that would be great but I am unaware of it. (I obviously changed the sensitive data).
As far as following that article for data enrichment, I'm having data type issues working with the SID to do that. It doesn't seem to be possible.
1 of 1 people found this helpful
Good find xded! According to that article:
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
That's what's happening with me. When one of my sneaky server admins decides to take the easy way out and add a service account to Administrators, I want to know who got added! It looks like the information doesn't exist, no one else has this issue?