Hi,I need to generate alerts when a user is added to a group within AD.
You shouldn’t have to create this alert as it’s already built-in as part of our UBA incident type.
If you have configured Active Directory to send security logs to InsightIDR then that alert type should trigger automatically each time the privileges of an account are escalated to an AD security group with administrator rights.
To add your AD security logs to InsightIDR, please follow this guide: https://docs.rapid7.com/insightidr/active-directory
Here is the list of our built-in alerts: Alerts | InsightIDR Documentation
And using this query: where(“source_json.eventCode” = “4728”) on your Active Directory Security Logs will allow you to create pattern detection alerts.
In the log search, I just typed 4728 and selected the AD logs, returned some events.
Now it is possible to make a query with “eventCode”: 4728 + “group_scope”: “SECURITY_ENABLED_GLOBAL_GROUP” + group “:” XXXXX ",
You can use the following query:
where(source_json.eventCode=4728 AND group_scope="SECURITY_ENABLED_GLOBAL_GROUP" and group="test_group")
You can find more information about queries here:
I tried with this query but it didn’t work.
“Your query is invalid”
I forgot ( )
Can I also get to distribution group or do I need to enable auditing in AD?
Yes you should be able to track this Distribution Group Management event ID (4746) by ticking “Send Unparsed Data” on your AD event source. Having this enabled will increase the amount of data you send to IDR…Have a read through here.
This is how I have done it:(example)
action=“MEMBER_ADDED_TO_SECURITY_GROUP” AND group=“enterprise admins”
I will test and soon I will report.
I created it that way, but it didn’t return any results.
Can I put multiple groups in the same query?
action=“MEMBER_ADDED_TO_SECURITY_GROUP” AND group_scope=“SECURITY_ENABLED_DOMAIN_LOCAL_GROUP” AND group=“account operators” AND group=“Backup Operators” AND group="source_json.eventCode=‘4732’
if you have an example log line such as
“source_user”: “jsmith admin”,
“target_user”: “jsmith admin”,
“target_account”: “cn=jsmith admin,ou=admin_accounts,ou=administration,ou=r7mslab,dc=r7mslab,dc=local”,
and you wanted to have multiple groups you would build your query like
“action” = “MEMBER_ADDED_TO_SECURITY_GROUP” AND (“group” = “zonepolicytest” OR group=xyz OR “group”=/.*/ )
Its important to use parentheses when using AND’s and OR’s together.
A AND (B OR C)
Note in my example I have “group”=/.*/ this is regex notation for “any character any number of times” so it will include all results where the key “group” is equal to anything.
In order for your query to work it would need to be something like
action=“MEMBER_ADDED_TO_SECURITY_GROUP” AND group_scope=“SECURITY_ENABLED_DOMAIN_LOCAL_GROUP” AND (group=“account operators” OR group=“Backup Operators”)
if you wanted to also include the source_json.eventCode you would include that as a key comparison like
source_json.eventCode=4732 not group="source_json.eventCode … . . "
In my first reply the “where” did not get copied
where(action=“MEMBER_ADDED_TO_SECURITY_GROUP” AND group=“enterprise admins”)
yes, adding another group should work. Make sure you pull from the correct logs. Active Directory Admin Activity in my case.
I do have a couple of things to add to what Andy and David mentioned that I think might help you.
First, we have a series of blogs on Log Search that you might find useful as a resource. I think that they might answer some of your questions: The first one is at Your Guide to Log Search in Rapid7's SIEM Solution, InsightIDR. From it, you can continue to the next two blogs in the series.
Next, as David mentioned, when you are running your query, you can group inside the where () statement. That is, you could say:
where(action=“MEMBER_ADDED_TO_SECURITY_GROUP” AND group_scope=“SECURITY_ENABLED_DOMAIN_LOCAL_GROUP” AND (group=“account operators” OR group=“backup operators” OR group="my domain local group’))
Another way to run this same search is to switch into regular expression. That is explained here: Using Regular Expression to Expand Your Log Search Options. A query using regular expression would use the pipe ("|") to replace the OR quantifiers and would look like this:
where(action=“MEMBER_ADDED_TO_SECURITY_GROUP” AND “group_scope” = “SECURITY_ENABLED_DOMAIN_LOCAL_GROUP” AND group=/backup operators|account operators|lab - domain local security group/i)
Also, Log Search is case sensitive by default, so when you specify your groups, you either have to use the Loose Search feature, Loose Search | InsightIDR Documentation, or use regular expression and specify that you want a case-insensitive search with the lowercase “i”, or just type them in lower case since that is how they always show up in Log Search.
In other words, you’ll have better luck if you use OR instead of AND for the “group” field, and also either specify either a case-insensitive search or just use the same case that you see in Log Search.
I hope this all makes sense and helps you with your searching!