Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------

Hi Brian,

when you say "involved with these events" do you mean that AD sends event for all user changes done by an admin ?
or

Does QRadar in any way match the AD events to broadly alerting an any AD event involving a change of any sort ?
or anything else ?

Are you using the UBA app also ?

------------------------------
Nico de Smidt
------------------------------

Original Message:
Sent: 10-25-2018 13:34
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------

Hi Brian,

We are going to release in the next few weeks new custom properties for Windows.

You will be able to create rules on the following fields:

• Target User Name
• Target User Domain
• Target Account Security ID

We are also adding them for the source username:

• User Domain
• Account Security ID

Watch out for an update of "Microsoft Windows Custom Properties" content pack on the App Exchange

I hope this will help you

Gladys,

Any word on when that extension is going to be released? I clicked the link today and the current version was uploaded in February of 2016.

Cheers,
Brian

------------------------------
Brian Brehart
------------------------------

Original Message:
Sent: 10-26-2018 09:00 AM
From: Gladys Koskas
Subject: Isolate Admin/Privileged Accounts

Hi Brian,

We are going to release in the next few weeks new custom properties for Windows.

You will be able to create rules on the following fields:

• Target User Name
• Target User Domain
• Target Account Security ID

We are also adding them for the source username:

• User Domain
• Account Security ID

Watch out for an update of "Microsoft Windows Custom Properties" content pack on the App Exchange

I hope this will help you

------------------------------
Gladys Koskas

Original Message:
Sent: 10-26-2018 04:17
From: Nico de Smidt
Subject: Isolate Admin/Privileged Accounts

Hi Brian,

when you say "involved with these events" do you mean that AD sends event for all user changes done by an admin ?
or

Does QRadar in any way match the AD events to broadly alerting an any AD event involving a change of any sort ?
or anything else ?

Are you using the UBA app also ?

------------------------------
Nico de Smidt

Original Message:
Sent: 10-25-2018 13:34
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------

Hi Brian,

It will be posted this week :)

What are you looking for on the documentation side ?

Gladys,

Also, is there some documentation concerning how to use the Custom Event Properties? I see a lot about how to create them, but nothing past that.

Thanks again,
Brian

------------------------------
Brian Brehart
------------------------------

Original Message:
Sent: 10-26-2018 09:00 AM
From: Gladys Koskas
Subject: Isolate Admin/Privileged Accounts

Hi Brian,

We are going to release in the next few weeks new custom properties for Windows.

You will be able to create rules on the following fields:

• Target User Name
• Target User Domain
• Target Account Security ID

We are also adding them for the source username:

• User Domain
• Account Security ID

Watch out for an update of "Microsoft Windows Custom Properties" content pack on the App Exchange

I hope this will help you

------------------------------
Gladys Koskas

Original Message:
Sent: 10-26-2018 04:17
From: Nico de Smidt
Subject: Isolate Admin/Privileged Accounts

Hi Brian,

when you say "involved with these events" do you mean that AD sends event for all user changes done by an admin ?
or

Does QRadar in any way match the AD events to broadly alerting an any AD event involving a change of any sort ?
or anything else ?

Are you using the UBA app also ?

------------------------------
Nico de Smidt

Original Message:
Sent: 10-25-2018 13:34
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------

Nico,
Did I ever answer you? I'm following up in case I didn't.

When I say involved I mean that the Admin wasn't the target of the change, but the facilitator. I need to focus only when the Admin is the target of the change, whether it be a password reset, account lock, or password change.

I hope this clears things up.

Brian

------------------------------
Brian Brehart
------------------------------

Original Message:
Sent: 10-26-2018 04:17 AM
From: Nico de Smidt
Subject: Isolate Admin/Privileged Accounts

Hi Brian,

when you say "involved with these events" do you mean that AD sends event for all user changes done by an admin ?
or

Does QRadar in any way match the AD events to broadly alerting an any AD event involving a change of any sort ?
or anything else ?

Are you using the UBA app also ?

------------------------------
Nico de Smidt

Original Message:
Sent: 10-25-2018 13:34
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------

If you paste in your rule we can help

------------------------------
ryan swisher
------------------------------

Original Message:
Sent: 10-25-2018 13:34
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------

As requested, here's the text of the Rule I created.

Apply Domain Administrator Password Reset on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event QID is one of the following (5000895) Success Audit: An attempt was made to reset an account's password, (5000539) Failure Audit: An attempt was made to reset an account's password
and when any of Username are contained in any of Domain Admins - AlphaNumeric

------------------------------
Brian Brehart
------------------------------

Original Message:
Sent: 10-26-2018 08:58
From: ryan swisher
Subject: Isolate Admin/Privileged Accounts

If you paste in your rule we can help

------------------------------
ryan swisher

Original Message:
Sent: 10-25-2018 13:34
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------

Sent private message

------------------------------
ryan swisher
------------------------------

Original Message:
Sent: 10-29-2018 10:25
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

As requested, here's the text of the Rule I created.

Apply Domain Administrator Password Reset on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event QID is one of the following (5000895) Success Audit: An attempt was made to reset an account's password, (5000539) Failure Audit: An attempt was made to reset an account's password
and when any of Username are contained in any of Domain Admins - AlphaNumeric

------------------------------
Brian Brehart

Original Message:
Sent: 10-26-2018 08:58
From: ryan swisher
Subject: Isolate Admin/Privileged Accounts

If you paste in your rule we can help

------------------------------
ryan swisher

Original Message:
Sent: 10-25-2018 13:34
From: Brian Brehart
Subject: Isolate Admin/Privileged Accounts

Greetings,
I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major parts of our security is monitoring any activity that happens to a Privileged account, not just those that involve privileged accounts. For example, I created a rule that (I thought) would alert me whenever an Admin account in AD was altered in some way (password changed/reset, account changed, etc), but it turns out that my rule sends alerts whenever an Admin account is involved with those events; which, as one can imagine, happens a lot.

So is there a way to find the information I need, or do we need to invest in a paid plug-in from a vendor?

Thanks

------------------------------
Brian Brehart
Information Security Engineer
------------------------------