4 Replies Latest reply on Oct 1, 2014 8:16 AM by yeah yeah

    Rule Request - Admins Browsing the Web

    yeah yeah

      I need a rule that checks for admins logging on servers and browsing the web. Is this possible?

        • Re: Rule Request - Admins Browsing the Web
          stormbringer

          I need a rule that checks for admins logging on servers and browsing the web. Is this possible? said no Sysadmin ever!

          • Re: Rule Request - Admins Browsing the Web
            nicole pauls

            Well... there's a couple of ways to go about it.

             

            One way would be to detect the User Logon, then the launch of a browser process (chrome, iexplore, firefox, etc) from the same user. That'd all rely solely on events from the OS, so it'd be pretty tidy, but it does not tell you where they were going - if you care. You do need to drop in the names of the browser processes, though, so it may not be foolproof (but if your admin is renaming browser processes...).

             

            Prereq: need to be doing Process Audit success and auditing account logons, agent on server(s) in question.

             

            UserLogon.DestinationAccount = <admins group using directory groups, or by typing a username, or using a user-defined group>

            ProcessStart.ImageFile = <user-defined group of processes, or the name of a single process>

            UserLogon.DestinationAccount = ProcessStart.SourceAccount

             

            English: Look for a logon to the destination account in my admins, look for a process to start that has the browser name in it, and make sure they are both from the same user.

             

            Another way would be to use proxy server or firewall log data and correlate THAT with the UserLogon. You could either do it by IP or username. You might want to threshold it to a few hits since a single website might trigger several hits to the firewall/proxy and that could make the rule fire a few times.

             

            Prereq: firewall will need to trigger events on egress OR using a proxy server logging to LEM, auditing account logons and agent on server(s) in question.

             

            UserLogon.DestinationAccount = <admins group using directory groups, or by typing a username, or using a user-defined group>

            (Network Events.SourceMachine = <server connector profile/group, name of single server, or using a user-defined group>

            2 in 10 seconds

            Advanced Threshold: Same SourceMachine, Re-Infer: 60 seconds)

            UserLogon.DestinationMachine = Network Events.SourceMachine

             

            English: Look for a logon to the destination account in my admins, look for 2 network events from my server in 10 seconds but only re-check every 60 seconds for the same events after the first time, and make sure they are both to/from the same machine (server).

             

            I can take a couple screenshots or provide more insight depending on how you want to go about it. There MIGHT be a chance that the Windows Firewall will detect outbound web traffic and you could use that, but it's so noisy and often turned off on servers.

              • Re: Rule Request - Admins Browsing the Web
                yeah yeah

                This should work. I'll implement it and see what happens.

                 

                I guess I should have elaborated a bit more earlier....my only focus is on the servers. Admins are the only ones that have access. There should be no browsing from the servers. That's the intent of the check. Browsing from the server is just asking for trouble.

                • Re: Rule Request - Admins Browsing the Web
                  yeah yeah

                  Already, may have missed a step somewhere. I did the first portion of the rule:

                   

                  ProcessStart.ImageFile = iexplore.exe

                   

                  And that would be marked as an incident. Well nothing happened. Worked on the 6.0.1 upgrade (which failed, then the next day...everything started working again, odd). Well, now I'm on 6.0.1, and that rule is firing every second. I'm not even sure why it's firing. It's popped about 25000+ times in the past day. I feel like I'm going to get a self DoS. So, I disabled the rule, nothing. Deleted the rule, nothing. It's still firing!!