This will be the first time I create a bespoke rule of my own on the LEM that implements an action for the correlating events.
My goal is to get an alert for any new users being added to *admin* groups within Active Directory, outside of business hours at my organization as well as sending my team an email. Our Domain Controller looks to have the Active Response connector enabled and running and i know this based on other rules with actions that we have that are working correctly.
I am trying to understand the logic of "remove domain user from group' as being the best option out of the other similar actions in the list. Beyond being uncertain of that - its asking for the following information. The only fields i could add were text/time, etc. What exactly is this asking for?
Does it want the node name for the DC that the agent is on? And does it need every Admin Group we have typed in - because we have a lot of groups with varying naming conventions. And what user name is it needing - i have no theories on that one.