This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-01-14 04:51 PM

Apply Text or Watchlist filter to Correlation Rule

My overall goal is to create an alert that will fire if someone makes a change to a group with elevated privileges.  Basically if a user is added to or removed from "Domain Admins" or "Administrators", I want to be alerted.

 

I have created a correlation rule that alerts on the events dealing with security enabled group changes. 

I have also created a view for this alert.

 

Once the view is started I get all kinds of alerts any time a group changes. YAY!

 

Now that I know my event IDs are correct, I would like to be able to limit the groups that I am notified about.  I just want to know about the "Domain Admins", "Administrators", "Schema Admins", etc.

 

Here's where the problem comes in.

 

I have tried 3 different methods - all with no success.

 

Filter on [Content] (3 variations on this one):

 - WHERE [CONTENT] LIKE Domain Admins

 - WHERE [CONTENT] LIKE %Domain Admins%

 - WHERE [CONTENT] LIKE *Domain Admins*

 

Filter on Watchlist

 - WHERE [CONTENT] IN WATCHLIST GROUP_WATCHLIST

 - GROUP_WATCHLIST contains Domain Admins, Administrators, etc.

 

Added additional "event selection" to the statement.

 - On the page where you set the event IDs to look for I added an "AND" for [CONTENT] with "Domain Admins"

(this one is far fetched ,I know)

 

None of these methods work.  Any time I add any of the filters and then mess with my group, I no longer get alerts.  If I remove all filters, I get an alert bonanza.


Please help.

Preview file
304 KB
0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2011-01-17 08:26 AM

Try using REGEX as the operator instead of IN or LIKE.  Make sure the Watchlist itself is set to use regular expressions if youo do that.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-01-20 05:41 PM

REGEX is not an option in the drop down list when I try to create a filter.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-01-26 10:02 AM

Hi

 

We have something similar It monitors for any non privlidged account joined to a higher privlidged account.

 

It uses event managment and the attached filter

Preview file
28 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-01-26 11:38 AM

This is working fine for me.  Be sure that your Administrative Groups are exactly what they are called in AD.  Filter is set to look for Group in Watchlist Administrative Groups.

 

Groups include:

 

Server Admins

Admins Accounts Group

Administrators

 

I have tested it both adding to the group and removing from a group and it fires an alert.  Do you have the correct message IDs selected?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-02-21 10:42 PM

Mine works as well, but I do not filter content..I will post my XML in the morning.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-02-22 12:55 PM

We have created a correlated alert for this that works fine with a watchlist.   I'll attach the xml file for it.  The watch list is not set for use with regular expressions and we include Enterprise Admins, Domain Admins, Schema Admins, but don't forget "Administrators" which equates to the BUILTIN\Administrators group.  We find admins trying to hide in there as well.

 

Cheers!

Preview file
2 KB
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.