My overall goal is to create an alert that will fire if someone makes a change to a group with elevated privileges. Basically if a user is added to or removed from "Domain Admins" or "Administrators", I want to be alerted.
I have created a correlation rule that alerts on the events dealing with security enabled group changes.
I have also created a view for this alert.
Once the view is started I get all kinds of alerts any time a group changes. YAY!
Now that I know my event IDs are correct, I would like to be able to limit the groups that I am notified about. I just want to know about the "Domain Admins", "Administrators", "Schema Admins", etc.
Here's where the problem comes in.
I have tried 3 different methods - all with no success.
Filter on [Content] (3 variations on this one):
- WHERE [CONTENT] LIKE Domain Admins
- WHERE [CONTENT] LIKE %Domain Admins%
- WHERE [CONTENT] LIKE *Domain Admins*
Filter on Watchlist
- WHERE [CONTENT] IN WATCHLIST GROUP_WATCHLIST
- GROUP_WATCHLIST contains Domain Admins, Administrators, etc.
Added additional "event selection" to the statement.
- On the page where you set the event IDs to look for I added an "AND" for [CONTENT] with "Domain Admins"
(this one is far fetched ,I know)
None of these methods work. Any time I add any of the filters and then mess with my group, I no longer get alerts. If I remove all filters, I get an alert bonanza.