RSA Admin

Apply Text or Watchlist filter to Correlation Rule

Discussion created by RSA Admin Employee on Jan 14, 2011
Latest reply on Jan 26, 2011 by RSA Admin

My overall goal is to create an alert that will fire if someone makes a change to a group with elevated privileges.  Basically if a user is added to or removed from "Domain Admins" or "Administrators", I want to be alerted.

 

I have created a correlation rule that alerts on the events dealing with security enabled group changes. 

I have also created a view for this alert.

 

Once the view is started I get all kinds of alerts any time a group changes. YAY!

 

Now that I know my event IDs are correct, I would like to be able to limit the groups that I am notified about.  I just want to know about the "Domain Admins", "Administrators", "Schema Admins", etc.

 

Here's where the problem comes in.

 

I have tried 3 different methods - all with no success.

 

Filter on [Content] (3 variations on this one):

 - WHERE [CONTENT] LIKE Domain Admins

 - WHERE [CONTENT] LIKE %Domain Admins%

 - WHERE [CONTENT] LIKE *Domain Admins*

 

Filter on Watchlist

 - WHERE [CONTENT] IN WATCHLIST GROUP_WATCHLIST

 - GROUP_WATCHLIST contains Domain Admins, Administrators, etc.

 

Added additional "event selection" to the statement.

 - On the page where you set the event IDs to look for I added an "AND" for [CONTENT] with "Domain Admins"

(this one is far fetched ,I know)

 

None of these methods work.  Any time I add any of the filters and then mess with my group, I no longer get alerts.  If I remove all filters, I get an alert bonanza.


Please help.

Attachments

Outcomes