pamishr1 Absent Member.
Absent Member.
669 views

Rule- Windows account created and deleted within 1 Hr

Jump to solution

Hi Team,

Can some one having any idea abt this rule , how can we go ahead ?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
sparky1 Absent Member.
Absent Member.

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

Pretty straight forward one.

Create a rule to look for an account created, and then add the user information into an Activelist with a TTL of 1 hour.

Create a rule to look for an account being deleted and that the user name is in the Activelist from above.

View solution in original post

0 Likes
9 Replies
sparky1 Absent Member.
Absent Member.

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

Pretty straight forward one.

Create a rule to look for an account created, and then add the user information into an Activelist with a TTL of 1 hour.

Create a rule to look for an account being deleted and that the user name is in the Activelist from above.

View solution in original post

0 Likes
pamishr1 Absent Member.
Absent Member.

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

Can it be done in single rule ...

0 Likes
Established Member.. chrisb1
Established Member..

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

Yes. When defining the rule, you'll want to have two event definitions, with a time window of one hour, and match on event1.destinationUserName = event2.destinationUserName, where event1 is looking for user creations and event2 is looking for deletions.

This will eliminate the need for an active list, however if you have a lot of event creations, you'll have a lot of partial matches in memory, so be careful.

0 Likes
pamishr1 Absent Member.
Absent Member.

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

Hi ,

I am attaching the screen shot , one doubt here, like which event will get fire first ..

How it would be decided or simply in the same order in whcih we are deploying it?AC Created and deleted.jpg

0 Likes
Established Member.. anwarrhce1
Established Member..

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

Rule engine works as first come first serve...

So you should create the user creation event first..

0 Likes
brian.freedman@1 Absent Member.
Absent Member.

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

This is a horrible from an efficiency perspective. I strongly recommend going with two rules and an activelist method

0 Likes
Established Member.. chrisb1
Established Member..

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

Actually, you're incorrect.  This is more efficient and less prone to problems.  Given that it's a 1 hour time window, unless they are creating hundreds of accounts per day, they'll never have a large amount of partial rule fires, so that is not an issue.  However, if they were to use an activelist, then they lose the wonderful metadata from a SIEM that makes IR work easier.  For instance, by using two events in a single rule, when the rule fires, it links both the creation and deletion events into one.  If he were just using an activelist, he'd have 2 rule fires to look for to find the events that triggered it - that's not efficient.  In addition, if you were to have this rule open a case, you would not have both of the triggering events attached, only the 2nd event, and you'd have to waste an analyst's time going back and finding the first event to add it to the case.  Finally, if you were to use two active lists, you have to make sure all the usernames are changed to a normalized case.  Since Windows is not case sensitive, many application will pass a username with the case that the username was placed in - Chrisb vs chrisb vs ChRiSB.  Since an activelist is case sensitive, this would never match.  In a rule match, you simply create the variables to do the matching (toUpper(event1.targetUserName) toUpper(event2.targetUserName), but preserve the actual case of the username in the event, which aids an IR person in determining if someone is trying to evade monitoring. 

0 Likes
michael.selph Absent Member.
Absent Member.

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

I'm interested in you saying that it's more efficient to have one rule, than it is to chain 2 rules using an active list. It seems to me that you have a number of reasons that it is more efficient:

1) Low even rate for account creation means low partial match rate

2) Base events for creation and deletion are in one correlated event and make IR easier.

3) Normalizing case is a pain for Active lists, but not for RTR

I'd have to actually see the partial match numbers for this rule before I'd comment on number 1. I am under the impression that join rules are one of the most inefficient things ESM can do and I usually take pretty big steps to not actually use them.

As for keeping the creating and deletion event under one correlation event, I can see that being a positive. However, I am yet to work an an environment where analysts would actually have to dig up just the base event for an account creation. If this rule were to fire, the first thing that would be done is to pull every single log related to that username and attached them to the case. What's the problem with pulling that one extra log at that point?

As for number 3, I highly recommend that you turn on the 'Uppercase User Names' on all of your connectors. It saves tons of time in general when you KNOW that all of  your usernames will be uppercase, and I am yet to run into an issue where I need to ONLY look for 'admin; and not 'Admin'. Also, in 6.5c, you can specify that Active Lists not be case sensitive which would solve that problem as well.

I think this boils down to wither or not the join rule is more or less efficient than 2 rules. All of my experience with ArcSight says that having a join rule open for an hour is wicked expensive, but having 1 rule that adds to an AL and another that looks for the deletion of accounts on that AL is much cheaper. It's totally possible that I'm wrong here, but it will probably take numbers to convince me.

0 Likes
brian.freedman@1 Absent Member.
Absent Member.

Re: Rule- Windows account created and deleted within 1 Hr

Jump to solution

We are just coming from two different schools of though on this. Either one of our solutions solve for OP's original question.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.