4 Replies Latest reply on Aug 8, 2017 4:22 PM by curtisi

    Actions within Rules


      This will be the first time I create a bespoke rule of my own on the LEM that implements an action for the correlating events.


      My goal is to get an alert for any new users being added to *admin* groups within Active Directory, outside of business hours at my organization as well as sending my team an email. Our Domain Controller looks to have the Active Response connector enabled and running and i know this based on other rules with actions that we have that are working correctly.


      I am trying to understand the logic of "remove domain user from group' as being the best option out of the other similar actions in the list. Beyond being uncertain of that - its asking for the following information. The only fields i could add were text/time, etc. What exactly is this asking for?


      Does it want the node name for the DC that the agent is on? And does it need every Admin Group we have typed in - because we have a lot of groups with varying naming conventions. And what user name is it needing - i have no theories on that one.




        • Re: Actions within Rules

          In this scenario, you need to provide the name of a domain controller with the LEM agent installed on it for that first field.  You may need to define that with a text constant.  The other fields can come from the alert data.


          Basically, you're telling LEM "If you see THING, then go to DOMAIN CONTROLLER AGENT and remove USER NAME from GROUP NAME."


          IMHO, what may make more sense is setting up an action that disables the newly added account and the source account that made the change (that'd be two actions in one rule).

          1 of 1 people found this helpful
            • Re: Actions within Rules

              Thank you for getting back to me on this. This is absolutely the type of learning curve that when you eventually 'get it' it clicks perfectly. Otherwise - it's almost a foreign language.


              I finally had a chance to look at this again and work through it logically. I believe I have what i want for the time being. I think disabling the user account (Eventually) is a great idea. We have multiples admins in our IT department so that is not something i would just do and would have to alert everyone to. So for the time being I am simply telling it to remove the new group member from the group name in the alert, as you can see below.


            • Re: Actions within Rules

              On this note, we have a primary and backup DC. In the event one is down and the other is up - can I somehow add that to the field as a wildcard seeing as their naming conventions are only one character off or will that not allow the rule to action correctly from the start?