7 Replies Latest reply on Jul 17, 2015 4:31 PM by nicole pauls

    Need help with correlating two events

    samuryan89

      We have a client that would like to get emailed alerts when an account with administrative privileges logs in. I've found two events that occur together that indicate the use of an administrative account (Windows Event ID's 4624 and 4672). For example, Event ID 4624 says "Logon "<domain>\ryan.butler"", and Event ID 4672 says "Privilege assigned to new logon "<domain>\ryan.butler"". I would like to build a rule for if those two events occur for the same username within a short period of time, send an email alert. Is there a way to do this? See attached screenshots for the two events.

        • Re: Need help with correlating two events
          nicole pauls

          Are they Domain Admins, or just Local Admins, or both? You could possibly do this more simply if you wanted to by looking for domain admins and ANY local account logins (since presumably on a domain local logons really shouldn't be happening). If you integrate LEM with Active Directory you can pull down the Domain Admins group and then create a "UserLogon.LogonType = *Interactive*" AND "UserLogon.DestinationAccount = Domain Admins" rule.

           

          However, to answer the question....  we need a field that is the same across the two of them to tie them together, then we can do something like:

          UserLogon.ProviderSID = *4624

          and

          PolicyScopeChange.ProviderSID = *4762

          and

          UserLogon.DestinationAccount = PolicyScopeChange.DestinationAccount

           

          within ~30 seconds.

           

          (You might also want to toss in a DetectionIP or DestinationMachine in case that user could be logging on more than one place at once, but that's pretty unlikely.)

           

          ...but from the screenshots it looks like the logon has the bare username and the privilege assignment has DOMAIN\username?

            • Re: Need help with correlating two events
              samuryan89

              That seemed to me like it might be an issue as well, as the "Destination Account" field is different between the two events (one with domain, one without). Would this not be possible to do then in this manner?

               

              However, your first option sounds like it should deliver the results we are looking for. How would I go about getting the Domain Admins group pulled into LEM?

                • Re: Need help with correlating two events
                  nicole pauls

                  This video @ 1:20 shows an example of configuring Active Directory with LEM - [VIDEO] How To Use Log and Event Manager to Alert on Unauthorized Access - it's about something else before/after that, but it does show an example. The easiest way is to use the Getting Started widget tools from Ops Center to configure basic settings, which includes the active directory connection. Then, from Build>Groups, you can select the groups you want to use in LEM. Theeeeen, from Build>Rules you can use these groups in rules, to do something like:

                   

                  UserLogon.DestinationAccount = <domain admins>

                  and

                  UserLogon.LogonType = *interactive* (if you only want to see interactive or remote desktop logons, not network or service logons - if you want to see everything you can leave this off)

                   

                  To create a local logons rule, the easiest thing to do is to look for logons not to your domain/domains. For example:

                  UserLogon.DestinationDomain <> <your domain>

                  and

                  UserLogon.LogonType = *interactive* (to only see interactive logons)

                   

                  You shouldn't need to refine by the Event ID, but you can always use the ProviderSID field if you need to.