Apply Text or Watchlist filter to Correlation Rule
My overall goal is to create an alert that will fire if someone makes a change to a group with elevated privileges. Basically if a user is added to or removed from "Domain Admins" or "Administrators", I want to be alerted.
I have created a correlation rule that alerts on the events dealing with security enabled group changes.
I have also created a view for this alert.
Once the view is started I get all kinds of alerts any time a group changes. YAY!
Now that I know my event IDs are correct, I would like to be able to limit the groups that I am notified about. I just want to know about the "Domain Admins", "Administrators", "Schema Admins", etc.
Here's where the problem comes in.
I have tried 3 different methods - all with no success.
Filter on [Content] (3 variations on this one):
- WHERE [CONTENT] LIKE Domain Admins
- WHERE [CONTENT] LIKE %Domain Admins%
- WHERE [CONTENT] LIKE *Domain Admins*
Filter on Watchlist
- WHERE [CONTENT] IN WATCHLIST GROUP_WATCHLIST
- GROUP_WATCHLIST contains Domain Admins, Administrators, etc.
Added additional "event selection" to the statement.
- On the page where you set the event IDs to look for I added an "AND" for [CONTENT] with "Domain Admins"
(this one is far fetched ,I know)
None of these methods work. Any time I add any of the filters and then mess with my group, I no longer get alerts. If I remove all filters, I get an alert bonanza.
This is working fine for me. Be sure that your Administrative Groups are exactly what they are called in AD. Filter is set to look for Group in Watchlist Administrative Groups.
Admins Accounts Group
I have tested it both adding to the group and removing from a group and it fires an alert. Do you have the correct message IDs selected?
We have created a correlated alert for this that works fine with a watchlist. I'll attach the xml file for it. The watch list is not set for use with regular expressions and we include Enterprise Admins, Domain Admins, Schema Admins, but don't forget "Administrators" which equates to the BUILTIN\Administrators group. We find admins trying to hide in there as well.