This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-04-15 02:40 AM

Having issues with Canned rule CRL-00014

Hey folks,

 

I am finding it difficult to follow the correlation rule CRL-00014, I copied the rule, but the rule does not trigger properly. The variable group does not exist in the event category mentinoed in the rule. Can someone guide me how to check on this rule and make sure its working.

 

Thanks in advance

0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2010-05-05 09:46 AM

This Correlation is looking for a useraccount that is added to an administrative group, we had to change the rule to match what we were looking for.

 

1. Added a watchlist called Administrative groups and configured the groups we wanted to monitor

2. We changed the device group to Windows devices

3. We changed the event type to two specific events in Windows, we are running Windows 2008

4. We changed the filter variable to "group" "IN Watchlist"  "Administrative groups".

 

The filter is set to eliminate any other group addition unless an addition is made to the groups we want to monitor such as Domain Admins in Windows.

 

What devices are you monitoring for group changes?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-05-06 01:50 AM

Thanks for checking..i was waiting for a reply from long time..

I am looking for privilage escalation in Envision Server users

 

when i tried to duplicate the existing rule..i am missing the right variable / fileds...

there is no chance of using the filtering option... I know the logic is right..but hicups in triggering the alert for envision user privilage escalation and group modifications

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-05-06 08:04 AM

Are you saying there are no variables to choose from or that the variable you want to use is not there? And what variable are you wanting to use?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-05-07 12:25 AM

Event Category/ALLINUser.Management.Groups.Modifications.User Added

 

groupIn WatchlistAdministrative GroupsfalseAnd
usernameNot In WatchlistAdministrative Usersfalse 

 

If i use the Above Event Category i dont find an option to use group in filter....

0 Likes
Reply
GabrielPython
Beginner
Beginner
In response to RSAAdmin
‎2010-05-07 02:39 AM

Don't use NOT IN WATCHLIST in ALerts and CRL.
I was unable to use it and It has been just confirmed by support that it's not working at all.

enVision 4.0 SP2 and SP3.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-05-07 07:59 AM

The Event Category is not really all that reliable, what you will find is if you choose the message ID that is generated when a change to the group is made you MAY have the variable option available to you. The variables change depending on the message ID you use.

 

For instance message ID "Security_4729_Microsoft-Windows-Security-Auditing" gives me the option to use the variable "Group" in my filter. 

 

As far as "not in watchlist", that's the first I have heard about that, you can always use the filter variable User name and in the comparison use NOT IN and list the usernames.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.