Oct 052012

This rule watches for new user accounts that are deleted on Windows servers. It will be triggered in case of having a user account deleted on a Windows server.

Goal Identifying the new user accounts that are deleted on Windows servers.
Trigger Alert in case of receiving an event from Windows servers indicating that a local/domain user account is deleted.
Event Sources Domain Controllers, Windows Servers


Rule Conditions

There is a set of conditions that need to be satisfied in order to trigger this rule. These conditions are different in Windows 2003 and 2008 as illustrated in Figures 1 and 2.

Figure 1: Windows 2003 - User Account Deleted

Figure 1: Windows 2003 – User Account Deleted

Figure 2: Windows 2008 - User Account Deleted

Figure 2: Windows 2008 – User Account Deleted

Condition Type Description
Windows Connector Filter This filter is used to limit this rule to Windows connectors.
Device Event Class ID Field-based Device Event Class ID is a value that ArcSight Smart Connector will assign to each event based on its original event ID in Windows. This condition will ensure that this rule will be only triggered by events that are related to account creation.


Rule Aggregation

This rule detects the single event of an account deletion in Windows. As a result, this rule does not require event aggregation and will be triggered for every single event that meets the rule conditions. However, the following fields should be added in the list of identical fields for aggregation to ensure the correlated event will preserve these values.

Destination Address, Destination Host Name, Destination User Name, Source User Name, Destination Zone, Source Host Name, Destination Zone Resource, Source Address, Source Zone, Source Zone Resource


Rule Actions

Once this rule triggers, it executes the following actions as indicated in Figure 3:

Figure 3: Rule Actions

Figure 3: Rule Actions

1. Update the data fields’ value in the correlated event that is generated by the rule. The following table illustrates the data fields that will be modified in the correlated event.

Data Field Updated Value Description
priority 8 This will overwrite the event priority to 8.
message The $destinationUserName user account is delted by $sourceUserName. $destinationUserName refers to the destination username and $sourceUserName refers to the source username. So, the final value for the message field would be something like “The test user account is deleted by Administrator.”