• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 22 subscribers
  • Views 311 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Actions within Rules

jessaraea

This will be the first time I create a bespoke rule of my own on the LEM that implements an action for the correlating events.

My goal is to get an alert for any new users being added to *admin* groups within Active Directory, outside of business hours at my organization as well as sending my team an email. Our Domain Controller looks to have the Active Response connector enabled and running and i know this based on other rules with actions that we have that are working correctly.

I am trying to understand the logic of "remove domain user from group' as being the best option out of the other similar actions in the list. Beyond being uncertain of that - its asking for the following information. The only fields i could add were text/time, etc. What exactly is this asking for?

Does it want the node name for the DC that the agent is on? And does it need every Admin Group we have typed in - because we have a lot of groups with varying naming conventions. And what user name is it needing - i have no theories on that one. emoticons_confused.png

pastedImage_0.png

  • 0

    In this scenario, you need to provide the name of a domain controller with the LEM agent installed on it for that first field.  You may need to define that with a text constant.  The other fields can come from the alert data.

    Basically, you're telling LEM "If you see THING, then go to DOMAIN CONTROLLER AGENT and remove USER NAME from GROUP NAME."

    IMHO, what may make more sense is setting up an action that disables the newly added account and the source account that made the change (that'd be two actions in one rule).

  • 0 in reply to curtisi

    Thank you for getting back to me on this. This is absolutely the type of learning curve that when you eventually 'get it' it clicks perfectly. Otherwise - it's almost a foreign language.

    I finally had a chance to look at this again and work through it logically. I believe I have what i want for the time being. I think disabling the user account (Eventually) is a great idea. We have multiples admins in our IT department so that is not something i would just do and would have to alert everyone to. So for the time being I am simply telling it to remove the new group member from the group name in the alert, as you can see below.

    pastedImage_1.png

  • 0

    On this note, we have a primary and backup DC. In the event one is down and the other is up - can I somehow add that to the field as a wildcard seeing as their naming conventions are only one character off or will that not allow the rule to action correctly from the start?

  • 0 in reply to jessaraea

    You can't do a wildcard, but you can have the same action more than once, so add a second "Remove Domain User From Group" and use the second DC in the second action.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.