RSA Admin

Help with Active Directory OU Drag and Drop

Discussion created by RSA Admin Employee on Aug 7, 2008
Latest reply on Aug 29, 2008 by RSA Admin

enVision v3.5.2 Build: 0170

 

I need suggestions or help identifying why this won't fire.  I have spent several days debuging, so I won't bog you down with every step I've attempted but here's the jist of it...

 

Desired output:  A correlation rule that will fire when an Active Directory OU Drag and Drop has occurred. 

 

Assumptions:  You have auditing enabled, and also applied it to the OU hierarchy for both object creation and deletion.

 

Background Research: I've simulated this to generate realistic log traffic, and what you get from a 2003 DC is the following three events.  In summary, they are Background all 566's from the sec log, but the payload is unique in all three.  Also important to note, is that they always occur in the same order.  Which you'd think would be nice, for creating a simple 3 statement circuit using "followed by". Ok so at first I wondering why three separate events?  Well, because of how windows writes events, there is no such thing as an "OU move" event ID, that would make too much sense and be far too easy.  Rather you see a 566 Delete (of the original OU), followed immediately by a 566 Write Property (of the same OU being created in its new location with a new GUID), and finally followed by another 566 Create Child as it relates to the parent OU being audited, basically saying a new child ou has been created within it.

 

Here's the sample log events from envision event viewer, they are all specific to Windows Events (NIC) Security_566_Security:02  and I've bolded the parts relevant to the correlation rule firing.

 

%NICWIN-4-Security_566_Security: Security,rn=10454665 cid=0x00000008 eid=0x00000236,Thu Aug 07 09:06:33 2008,566,Security,FOO/admin-user1,Success Audit,DomainController01,Directory Service Access,,Object Operation: Object Server: DS  Operation Type: Object Access  Object Type: %{bf967aa5-0de6-11d0-a285-00aa003049e2}  Object Name: %{867a1dfc-8ab8-468e-bd74-baa559a679f2}  Handle ID: -  Primary User Name: DomainController01$  Primary Domain: FOO  Primary Logon ID: (0x0,0x3E7)  Client User Name: Admin-user1  Client Domain: FOO  Client Logon ID: (0x0,0x20AB9F22)  Accesses: DELETE       Properties: DELETE   %{bf967aa5-0de6-11d0-a285-00aa003049e2}    Additional Info:   Additional Info2:   Access Mask: 0x10000

 

%NICWIN-4-Security_566_Security: Security,rn=10454666 cid=0x00000008 eid=0x00000236,Thu Aug 07 09:06:33 2008,566,Security,FOO/Admin-user1,Success Audit,DomainController01,Directory ServiceAccess,,Object Operation: Object Server: DS  Operation Type: Object Access  Object Type: %{bf967aa5-0de6-11d0-a285-00aa003049e2}  Object Name: %{867a1dfc-8ab8-468e-bd74-baa559a679f2}  Handle ID: -  Primary User Name: DomainController01$  Primary Domain: FOO  Primary Logon ID: (0x0,0x3E7)  Client User Name: Admin-user1  Client Domain: FOO  Client Logon ID: (0x0,0x20AB9F22)  Accesses: Write Property       Properties: Write Property   %{e48d0154-bcf8-11d1-8702-00c04fb96050}     %{bf967a0e-0de6-11d0-a285-00aa003049e2}    

%{bf9679f0-0de6-11d0-a285-00aa003049e2}   %{bf967aa5-0de6-11d0-a285-00aa003049e2}    Additional Info:

OU=child1,OU=parent1,OU=grandparent1,OU=newnameOU1,OU=logagtest,DC=FOO,DC=foocorporation,DC=com  Additional Info2: %{bfa7f4fd-f34d-4482-809a-a7db5c53e145}  Access Mask: 0x20

 

%NICWIN-4-Security_566_Security: Security,rn=10454667 cid=0x00000008 eid=0x00000236,Thu Aug 07 09:06:33 2008,566,Security,FOO/Admin-user1,Success Audit,DomainController01,Directory Service Access,,Object Operation: Object Server: DS  Operation Type: Object Access  Object Type: %{bf967aa5-0de6-11d0-a285-00aa003049e2}  Object Name: %{bfa7f4fd-f34d-4482-809a-a7db5c53e145}  Handle ID: -  Primary User Name: DomainController01$  Primary Domain: FOO  Primary Logon ID: (0x0,0x3E7)  Client User Name: Admin-user1  Client Domain: FOO  Client Logon ID: (0x0,0x20AB9F22)  Accesses: Create Child       Properties: Create Child   %{bf967aa5-0de6-11d0-a285-00aa003049e2}    Additional Info:   Additional Info2:   Access Mask: 0x1

 

Progress to date:  I have tried numerous configurations in the last two days to get this to fire appropriately.  My first attempt (see attached) was a single circuit with three statements, where statement 1 looked for the first event,followed by statement 2 which looked for the second event, followed by a statement 3 for the third.  A days worth of tweaks and adjustments and removing filters until there was nothing left but false positives I realized this method wouldn't work, so I tried a second method which basically split the same three statements out in to their own separate circuits.  Still no go. I've also tried different variations of using LIKE and IN and neither seem to work. 

 

So here's where I get frustrated... I can take these exact same filter statements and plug them into the Query page and it processes successfully and gives me back the correct events for each of the three statements just fine.  It works perfect.  It just won't process when used in a correlation rule.    Hmmm ?

 

Anyone attempted this before, if so, how did you construct your correlation circuits and statements to pull it off?

 

 

 


-Ryan

 

 

Outcomes