Absent Member.
Absent Member.
889 views

Best Practice for Rules Using ActiveList Entries

Jump to solution

We have an ActiveList that is being populated using LDAP queries to find disabled accounts in Active Directory. The list (an Event-based list), has the following fields:

  • AttackerUserName (key field)
  • AttackerNtDomain
  • Name
  • Message
  • DeviceHostName
  • DeviceAddress

Each entry is a unique username that gets added using a rule to write to the active list.

If I wanted to alert when a user tries to login using a disabled username, what's the best way to achieve this? I was going to use /Authentication/Verify under Category Behavior, but don't understand how to use the list effectively. Should the list be a field-based list? When I tried mapping AttackerUserName to TargetUserName in a field-based list, no entries were returned when testing the rule.

The ESM is v5.0.2.6715.0

Thanks!

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Admiral
Admiral

You need two conditions in your rule

1) if a login event ( category behavior=/Authentication/Verify in your example ) is detected

AND

2) AttackerUserName is in ActiveList

that should be it assuming that the AttackerUserName is an existing field in your login event.  If not you will have to find the field identifying the user in the login event and ensure this field is stored in the AL.  If you decide to use a key field active list, this field shall also be a key field.  If you want to use multiple key fields in the Active list ( not required ) you should also be sure each key field will be able to map with an existing field in your login event.

HTH

View solution in original post

2 Replies
Admiral
Admiral

You need two conditions in your rule

1) if a login event ( category behavior=/Authentication/Verify in your example ) is detected

AND

2) AttackerUserName is in ActiveList

that should be it assuming that the AttackerUserName is an existing field in your login event.  If not you will have to find the field identifying the user in the login event and ensure this field is stored in the AL.  If you decide to use a key field active list, this field shall also be a key field.  If you want to use multiple key fields in the Active list ( not required ) you should also be sure each key field will be able to map with an existing field in your login event.

HTH

View solution in original post

Absent Member.
Absent Member.

can u please share rule screen shot

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.