I'm new to this SIEM and writing rules. How would I write a simple rule to report when changes have been made to GPO?
I'm new to this SIEM and writing rules. How would I write a simple rule to report when changes have been made to GPO?
It looks like the GPO Created rule needs a small correction.
This part:
cast(action, string) LIKE '%Value Deleted%')
should be changed to:
cast(action, string) LIKE '%Value Added%')
I am getting this error. 
The single quotes around 5136 are *different* (they have a name, I'm sure, but I have no idea what those kinds of single-quote-like marks are called). Compare those to the marks around 5137:
Replace those *other* ones with normal single quotes and you should be good.
Unfortunately that didn't work. I used the same single quote for both.
I'm getting the same error with this one as well 
I don't have access to a lab environment right now, but these were taken straight from a client report, so they should work.
This is copied and pasted to Notepad ++ and copied into Netwitness. I'm stumped
Yea….that's really weird. I'm even able to copy/paste directly from the first reply straight into NW..
Anyway, try importing these into your ESA.
So it is working for you? I also cannot import without getting an error. It doesn't appear to be my day....
Yea, I created those in my lab and exported them. It wouldn't have let me save/export unless the syntax was valid.
What version of NetWitness are running? (I'm at 11.2.0.1)
11.2.0.0
Roger Feagin
IT Security Analyst
American Modern
Telephone:
Fax:
RFeagin@amig.com<mailto:RFeagin@amig.com>
AMIG.COM
American Modern Home - American Family Home - American Southern Home
American Modern Property and Casualty - American Western Home
We had a client request for notification when GPO policies were created, edited, or deleted. When studied, these actions cause multiple event log entries. Because of the multiple event log entries, we determined that we needed to use the ESA engine for correlation. The EPL rules we created in ESA are below. They may not be exactly what you need, but they may get you started.
======
module GPOCreated;
@Name('GPO Created')
@RSAAlert
SELECT window(*) FROM Event(
medium = 32
AND
reference_id IN ('5137',’5136’)
AND
obj_type = 'grouppolicycontainer'
AND
(ec_activity = 'create' OR cast(action, string) LIKE '%Value Deleted%'))
.std:groupwin(obj_type).win:time_batch(20 seconds)
GROUP BY obj_type;
======
module GPOEdited;
@Name('GPO Edited')
@RSAAlert
SELECT window(*) FROM Event(
medium = 32
AND
reference_id = '5136'
AND
obj_type = 'grouppolicycontainer'
AND
cast(action, string) LIKE '%Value Deleted%')
.std:groupwin(reference_id, obj_type).win:time_batch(20 seconds)
GROUP BY reference_id, obj_type;
======
module GPODeleted;
@Name('GPO Deleted')
@RSAAlert
SELECT window(*) FROM Event(
medium = 32
AND
reference_id = '5141'
AND
obj_type = 'grouppolicycontainer'
AND
cast(action, string) LIKE '%Tree Delete%')
.std:groupwin(reference_id, obj_type).win:time_batch(20 seconds)
GROUP BY reference_id, obj_type;