I'm new to this SIEM and writing rules. How would I write a simple rule to report when changes have been made to GPO?
I'm new to this SIEM and writing rules. How would I write a simple rule to report when changes have been made to GPO?
I don't have access to a lab environment right now, but these were taken straight from a client report, so they should work.
Yea….that's really weird. I'm even able to copy/paste directly from the first reply straight into NW..
Anyway, try importing these into your ESA.
So it is working for you? I also cannot import without getting an error. It doesn't appear to be my day....
Yea, I created those in my lab and exported them. It wouldn't have let me save/export unless the syntax was valid.
What version of NetWitness are running? (I'm at 11.2.0.1)
11.2.0.0
Roger Feagin
IT Security Analyst
American Modern
Telephone:
Fax:
RFeagin@amig.com<mailto:RFeagin@amig.com>
AMIG.COM
American Modern Home - American Family Home - American Southern Home
American Modern Property and Casualty - American Western Home
We had a client request for notification when GPO policies were created, edited, or deleted. When studied, these actions cause multiple event log entries. Because of the multiple event log entries, we determined that we needed to use the ESA engine for correlation. The EPL rules we created in ESA are below. They may not be exactly what you need, but they may get you started.
======
module GPOCreated;
@Name('GPO Created')
@RSAAlert
SELECT window(*) FROM Event(
medium = 32
AND
reference_id IN ('5137',’5136’)
AND
obj_type = 'grouppolicycontainer'
AND
(ec_activity = 'create' OR cast(action, string) LIKE '%Value Deleted%'))
.std:groupwin(obj_type).win:time_batch(20 seconds)
GROUP BY obj_type;
======
module GPOEdited;
@Name('GPO Edited')
@RSAAlert
SELECT window(*) FROM Event(
medium = 32
AND
reference_id = '5136'
AND
obj_type = 'grouppolicycontainer'
AND
cast(action, string) LIKE '%Value Deleted%')
.std:groupwin(reference_id, obj_type).win:time_batch(20 seconds)
GROUP BY reference_id, obj_type;
======
module GPODeleted;
@Name('GPO Deleted')
@RSAAlert
SELECT window(*) FROM Event(
medium = 32
AND
reference_id = '5141'
AND
obj_type = 'grouppolicycontainer'
AND
cast(action, string) LIKE '%Tree Delete%')
.std:groupwin(reference_id, obj_type).win:time_batch(20 seconds)
GROUP BY reference_id, obj_type;