Highlighted
karl2k1 Absent Member.
Absent Member.
366 views

Share your tips for tracking AD group changes

Currently we have a couple of rules that look for the following event IDs and populate 2 lists.  One list is for account creations, the other is for account deletions.

accounts deleted.png

accounts created.jpg

The rule fires and adds the name, event ID (called external ID in arcsight), attacker username, attacker, user id, attacker address, attacker hostname, target username, target user ID, device custom string 6 to an active list.  At the beginning of the week a report gets sent out of each active list

We have a 2003/2008 environment, and it works ok for the most part.  One of the issues is that there is no uniformity at all when someone is added/removed from a group.  Depending on the source (2003/2008) and the event type, it will sometimes put the unreadable SID as target user ID, sometimes just the group name and cname as device custom string 6 etc

If I need to search back a week for something that does not show up in my lists, it is a nightmare because there are so many fields it could have populated with the username.  I've found that I am more successful if I search Raw Event contains "full name of user" [ignore case] or Raw Event contains "username" [ignore case]

A tweak I will add eventually is to have the raw event added to to the active list.  Everyone knows the issue with that when you have to add a single column to an active list...have to create a whole new list, update the rule aggregation and action tab, export the existing list as a report and import it to the new list to backfill the old entries

what do you guys do?

Labels (1)
0 Likes
Reply
4 Replies
farrukhaftab1 Absent Member.
Absent Member.

Re: Share your tips for tracking AD group changes

Hi Karl,

Thanks for the above post, did you get anywhere WRT these sort of reporting issues. I have also noticed the same problem. When A/Sight (logger) is processing Windows 2003 it works fine however when it comes to the Win 2008/2012 it enlists the user names in Group Name column which is quite bizarre.How would you coup with this challenge where you have got both 2003 & 2008/2012 environments.   

0 Likes
Reply
karl2k1 Absent Member.
Absent Member.

Re: Share your tips for tracking AD group changes

to be honest, we no longer have 2003 servers in our environment and it has made it easier to create content

0 Likes
Reply
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Share your tips for tracking AD group changes

HP ArcSight IdentityView ---

This is the easiest way to monitor your Users for almost every angle.

With out this the Content Package for Microsoft Windows System Monitoring is very good.

Of course if you can get rid of Windows 2003 --- you are in a much better place for altering and monitoring user activity as the 2008 and 2012 content is extremely spot on.

0 Likes
Reply
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Share your tips for tracking AD group changes

I would reiterate the comment about the Microsoft Windows System Monitoring content.

It should be included on ESM 6.x but might not be on earlier versions. Its standard content and works well, so I would recommend this. There is a load of stuff in there around group changes and privileged account changes. Its focused around 2008 and 2003, so should work well. But please I would recommend double checking the event ID's for the 2003 side of things though - they are listed in the content documentation, but its worth double checking them all (from your screenshot above) as I have had a couple of issues in the past.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.