Having issues with Canned rule CRL-00014
I am finding it difficult to follow the correlation rule CRL-00014, I copied the rule, but the rule does not trigger properly. The variable group does not exist in the event category mentinoed in the rule. Can someone guide me how to check on this rule and make sure its working.
Thanks in advance
This Correlation is looking for a useraccount that is added to an administrative group, we had to change the rule to match what we were looking for.
1. Added a watchlist called Administrative groups and configured the groups we wanted to monitor
2. We changed the device group to Windows devices
3. We changed the event type to two specific events in Windows, we are running Windows 2008
4. We changed the filter variable to "group" "IN Watchlist" "Administrative groups".
The filter is set to eliminate any other group addition unless an addition is made to the groups we want to monitor such as Domain Admins in Windows.
What devices are you monitoring for group changes?
Thanks for checking..i was waiting for a reply from long time..
I am looking for privilage escalation in Envision Server users
when i tried to duplicate the existing rule..i am missing the right variable / fileds...
there is no chance of using the filtering option... I know the logic is right..but hicups in triggering the alert for envision user privilage escalation and group modifications
|Event Category/ALL||IN||User.Management.Groups.Modifications.User Added|
|group||In Watchlist||Administrative Groups||false||And|
|username||Not In Watchlist||Administrative Users||false|
If i use the Above Event Category i dont find an option to use group in filter....
I was unable to use it and It has been just confirmed by support that it's not working at all.
enVision 4.0 SP2 and SP3.
The Event Category is not really all that reliable, what you will find is if you choose the message ID that is generated when a change to the group is made you MAY have the variable option available to you. The variables change depending on the message ID you use.
For instance message ID "Security_4729_Microsoft-Windows-Security-Auditing" gives me the option to use the variable "Group" in my filter.
As far as "not in watchlist", that's the first I have heard about that, you can always use the filter variable User name and in the comparison use NOT IN and list the usernames.