This rule watches for new user accounts that are created on Windows servers. It will be triggered in case of having a user account created on a Windows server.
|Goal||Identifying the new user accounts that are created on Windows servers.|
|Trigger||Alert in case of receiving an event from Windows servers indicating that a new local/domain user account is created.|
|Event Sources||Domain Controllers, Windows Servers|
There is a set of conditions that need to be satisfied in order to trigger this rule. These conditions are different in Windows 2003 and 2008 as illustrated in Figures 1 and 2.
|Windows Connector||Filter||This filter is used to limit this rule to Windows connectors.|
|Device Event Class ID||Field-based||Device Event Class ID is a value that ArcSight Smart Connector will assign to each event based on its original event ID in Windows. This condition will ensure that this rule will be only triggered by events that are related to account creation.|
This rule detects the single event of an account creation in Windows. As a result, this rule does not require event aggregation and will be triggered for every single event that meets the rule conditions. However, the following fields should be added in the list of identical fields for aggregation to ensure the correlated event will preserve these values.Destination Address, Destination Host Name, Destination User Name, Source User Name, Destination Zone, Source Host Name, Destination Zone Resource, Source Address, Source Zone, Source Zone Resource
Once this rule triggers, it executes the following actions as indicated in Figure 3:
1. Update the data fields’ value in the correlated event that is generated by the rule. The following table illustrates the data fields that will be modified in the correlated event.
|Data Field||Updated Value||Description|
|priority||8||This will overwrite the event priority to 8.|
|message||The $destinationUserName user account is created by $sourceUserName.||$destinationUserName refers to the destination username and $sourceUserName refers to the source username. So, the final value for the message field would be something like “The test user account is created by Administrator.”|