Warning: Declaration of Suffusion_MM_Walker::start_el(&$output, $item, $depth, $args) should be compatible with Walker_Nav_Menu::start_el(&$output, $data_object, $depth = 0, $args = NULL, $current_object_id = 0) in /home/customer/www/drsiem.com/public_html/wp-content/themes/suffusion/library/suffusion-walkers.php on line 17
Aug 292012
 
Summary

This rule watches for new user accounts that are created on Windows servers. It will be triggered in case of having a user account created on a Windows server.

Goal Identifying the new user accounts that are created on Windows servers.
Trigger Alert in case of receiving an event from Windows servers indicating that a new local/domain user account is created.
Event Sources Domain Controllers, Windows Servers

 

Rule Conditions

There is a set of conditions that need to be satisfied in order to trigger this rule. These conditions are different in Windows 2003 and 2008 as illustrated in Figures 1 and 2. 

Windows 2003 - User Account Created

Figure 1: Windows 2003 – User Account Created

Windows 2008 - User Account Created

Figure 2: Windows 2008 – User Account Created

Condition Type Description
Windows Connector Filter This filter is used to limit this rule to Windows connectors.
Device Event Class ID Field-based Device Event Class ID is a value that ArcSight Smart Connector will assign to each event based on its original event ID in Windows. This condition will ensure that this rule will be only triggered by events that are related to account creation.

 

Rule Aggregation

This rule detects the single event of an account creation in Windows. As a result, this rule does not require event aggregation and will be triggered for every single event that meets the rule conditions. However, the following fields should be added in the list of identical fields for aggregation to ensure the correlated event will preserve these values.

Destination Address, Destination Host Name, Destination User Name, Source User Name, Destination Zone, Source Host Name, Destination Zone Resource, Source Address, Source Zone, Source Zone Resource

 

Rule Actions

Once this rule triggers, it executes the following actions as indicated in Figure 3:

Figure 3: Rule Actions

Figure 3: Rule Actions

1. Update the data fields’ value in the correlated event that is generated by the rule. The following table illustrates the data fields that will be modified in the correlated event.

Data Field Updated Value Description
priority 8 This will overwrite the event priority to 8.
message The $destinationUserName user account is created by $sourceUserName. $destinationUserName refers to the destination username and $sourceUserName refers to the source username. So, the final value for the message field would be something like “The test user account is created by Administrator.”