- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Correlation Rule with exceptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I think you might need to create multiple statements and possibly circuits to cover the conditions. Please correct me if I misunderstood the goals here.
- Alert if any service account interactively logs into any server in group A
- Alert if only specific service accounts interactive logs into any serverin group B
If you split these into two statements joined with an OR you should be able to achieve the desired results. Each statement will have a filter reflect one of the specific points listed above.
How many exceptions were you planning on creating with the rule?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Daniel,
The example I gave were a general idea of what we need to achieve. There is likely to be many more different servers that for some reason different service accounts need to interactively login to them.
We have over 1000 servers and over 1200 service accounts, as the monitoring of the use of these service accounts continues we will find quite a few more exceptions that may need to be handled. So, potentially we could have 10's of exceptions.
I need to find the best way to implement these in the rules, I was hoping it could be achieved by adding to the existing filter set ? But not having used correlated rules very much I 'm still learning.
Any ideas appreciated.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
My other suggestion would be to try and leverage the operators (AND, OR, etc) within the filter, statements and
circuits to create a more complex rule. Here is a simple example of how envision processes the operator:
Let's start with a rule that has 1 circuit and 3 statements in the following order
Statement_1
OR Statement_2
AND Statement_3
In this scenario, if statement_1 and statement_3 were true, the alert would fire. Similiarly, if Statement_2 and Statement_3 became true, the alert would fire. So I'll rewrite the rule so you can better visualize the logic behind this.
( Statement_1 OR Statement_2 ) AND Statement_3
So when you add a 4th statement to this rule
Statement_1
OR Statement_2
AND Statement_3
AND NOT Statement_4
The rule's logic can be expressed as (( Statement_1 OR Statement_2 ) AND Statement_3 ) AND NOT Statement_4
Unfortunately without understanding in detail all the conditions for the rule it's hard to determine what's the best way for you to proceed. However I suspect you will have to break down the rule into multiple parts to make this work properly.
Sometimes I will create a truth table to list all the input conditions to the rule and the outcomes I expect and then create the rule from that.
I hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Daniel,
From your suggestions, this is what I have come up with so far :
<cad timestamp="2009-11-27 08:37:31" decaytime="60" level="4" eventcategory="1401060000" content="LOGIN SERVICE ACCOUNT" explanation="Monitor for login activity by a service account." ipapattern="" ipacount="-1">
<circuit id="Circuit:Get Events" >
<statement id="Windows Successful Login Events" thp="false">
<device comparison="IN">
<devvalue dclass="Windows Hosts" case="false" regex="false">
<ipadd value="ALL"/>
</devvalue>
</device>
<eventset>
<eventid comparison="IN">
<evalue msgid="Security_528_Security" dtype="winevent_nic" case="false" regex="false"/>
<evalue msgid="Security_528_Security:02" dtype="winevent_nic" case="false" regex="false"/>
</eventid>
</eventset>
<filterset>
<filter comparison="IN">
<filtervalue variable="username" value="SERVICE ACCOUNTS" comparison="WATCHLIST" case="IGNORE"/>
</filter>
<operator name="AND" />
<filter comparison="IN">
<filtervalue variable="logon_type" value="Windows Logon Type" comparison="WATCHLIST" case="IGNORE"/>
</filter>
</filterset>
</statement>
<operator name="AND_NOT" within="-1" />
<statement id="Exclusions - Windows Successful Login Events" thp="false">
<device comparison="IN">
<devvalue dclass="Windows Hosts" case="false" regex="false">
<ipadd value="ALL"/>
</devvalue>
</device>
<eventset>
<eventid comparison="IN">
<evalue msgid="Security_528_Security" dtype="winevent_nic" case="false" regex="false"/>
<evalue msgid="Security_528_Security:02" dtype="winevent_nic" case="false" regex="false"/>
</eventid>
</eventset>
<filterset>
<filter comparison="IN">
<filtervalue variable="workstation" value="SERVERxyz" comparison="IN" case="IGNORE"/>
</filter>
<operator name="AND" />
<filter comparison="IN">
<filtervalue variable="username" value="SERVICEACCOUNTabc" comparison="IN" case="IGNORE"/>
</filter>
</filterset>
</statement>
</circuit>
</cad>
So, in the first statement I look for a login event, then have a second statement to perform the exception on the server and service account we want excluded from the alerting.
I haven't had a chance to fully test, but so far seems it achieve what I want, however I need to incorporate additional exceptions for other servers and service accounts.
Do you see anything obviously wrong with the above ?
Thanks,
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I believe that should be fine. Basically you'll just keep adding additional statements joined with "AND NOT" to reflect each additional exception to the rule. That should hopefully keep the rule manageable if you have a large number of exceptions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I am trying to perform this exact same correlation rule by using your example. I am trying to understan why you have the second watchlist "Logon Type". Would you explain this to me?
This is the rule that I need, which I believe is the same:
I want to monitor all successful logon events for all windows hosts, where specific service accounts are used. I also want to create a filter, excluding a list of hosts where these service accounts should be used.
Thanks,
Greg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
May I suggest that you just look for any interactive logins from a service account to any server. Look for the 528 and 4624 (win2k8) and the following conditions:
Login Type 2 (interactive login) and 10 (remote access)
Now there are some service accounts that use login type 2 & 10, but those are local logins and can be filtered out the "source user" ending in $.
This is how I have done it....I will attach the XML tomorrow that works with Content 2.0
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Here is my rule for checking sevice accounts....I am simply looking for interactive, direct logins using the accounts in my watchlist. By looking for both Login Process of User32 and Logon Type of 2 and 10...I can alert of anyone using the service account outside of its normal process. I can look at them across all servers and I think that is what you want to do. Usually a service account will have higher privileges than a normal user account and many times can be domain/local administrators...so I tend to want to see any interactive/direct logins.
