Hi,I need to generate alerts when a user is added to a group within AD.
Hey @rodrigo_ferrari,
You shouldnāt have to create this alert as itās already built-in as part of our UBA incident type.
If you have configured Active Directory to send security logs to InsightIDR then that alert type should trigger automatically each time the privileges of an account are escalated to an AD security group with administrator rights.
To add your AD security logs to InsightIDR, please follow this guide: https://docs.rapid7.com/insightidr/active-directory
Here is the list of our built-in alerts: Alerts | InsightIDR Documentation
Thanks,
Oli
And using this query: where(āsource_json.eventCodeā = ā4728ā) on your Active Directory Security Logs will allow you to create pattern detection alerts.
In the log search, I just typed 4728 and selected the AD logs, returned some events.
Now it is possible to make a query with āeventCodeā: 4728 + āgroup_scopeā: āSECURITY_ENABLED_GLOBAL_GROUPā + group ā:ā XXXXX ",
āgroupā: "XXXX,
āgroup_scopeā: āSECURITY_ENABLED_GLOBAL_GROUPā,
āgroup_domainā: ādomainā,
āsource_jsonā: {
āeventCodeā: 4728,
You can use the following query:
where(source_json.eventCode=4728 AND group_scope="SECURITY_ENABLED_GLOBAL_GROUP" and group="test_group")Hi,
I tried with this query but it didnāt work.
āYour query is invalidā
ItĀ“s work
I forgot ( )
Sorry
Tks
Can I also get to distribution group or do I need to enable auditing in AD?
Hey @rodrigo_ferrari
Yes you should be able to track this Distribution Group Management event ID (4746) by ticking āSend Unparsed Dataā on your AD event source. Having this enabled will increase the amount of data you send to IDRā¦Have a read through here.
Thanks,
Oli
This is how I have done it:(example)
action=āMEMBER_ADDED_TO_SECURITY_GROUPā AND group=āenterprise adminsā
1 Like
Hi Andry,
I will test and soon I will report.
Tks
Hi Andry,
I created it that way, but it didnāt return any results.
Can I put multiple groups in the same query?
action=āMEMBER_ADDED_TO_SECURITY_GROUPā AND group_scope=āSECURITY_ENABLED_DOMAIN_LOCAL_GROUPā AND group=āaccount operatorsā AND group=āBackup Operatorsā AND group="source_json.eventCode=ā4732ā
Hi Rodrigo,
if you have an example log line such as
{
ātimestampā: ā2021-01-12T16:01:30.544Zā,
āsource_userā: ājsmith adminā,
ātarget_userā: ājsmith adminā,
āsource_user_domainā: ār7mslab.localā,
ātarget_user_domainā: ār7mslab.localā,
āactionā: āMEMBER_ADDED_TO_SECURITY_GROUPā,
āsource_accountā: ājsmith_adminā,
ātarget_accountā: ācn=jsmith admin,ou=admin_accounts,ou=administration,ou=r7mslab,dc=r7mslab,dc=localā,
āgroupā: āzonepolicytestā,
āgroup_scopeā: āSECURITY_ENABLED_GLOBAL_GROUPā,
āgroup_domainā: ār7mslabā,
āsource_jsonā: {
āeventCodeā: 4728,
ācomputerNameā: āR7MSLAB-DC01.R7MSLAB.localā,
āinsertionStringsā: [
āCN=jsmith admin,OU=Admin_Accounts,OU=Administration,OU=R7MSLAB,DC=R7MSLAB,DC=localā,
āS-1-5-21-2587591228-874857867-111615119-1108ā,
āZonePolicyTestā,
āR7MSLABā,
āS-1-5-21-2587591228-874857867-111615119-1125ā,
āS-1-5-21-2587591228-874857867-111615119-1108ā,
ājsmith_adminā,
āR7MSLABā,
ā0x1dcae44ā,
ā-ā
],
ātimeGeneratedā: ā20210112160130.544610-000ā
}
}
and you wanted to have multiple groups you would build your query like
āactionā = āMEMBER_ADDED_TO_SECURITY_GROUPā AND (āgroupā = āzonepolicytestā OR group=xyz OR āgroupā=/.*/ )
Its important to use parentheses when using ANDās and ORās together.
A AND (B OR C)
Note in my example I have āgroupā=/.*/ this is regex notation for āany character any number of timesā so it will include all results where the key āgroupā is equal to anything.
In order for your query to work it would need to be something like
action=āMEMBER_ADDED_TO_SECURITY_GROUPā AND group_scope=āSECURITY_ENABLED_DOMAIN_LOCAL_GROUPā AND (group=āaccount operatorsā OR group=āBackup Operatorsā)
if you wanted to also include the source_json.eventCode you would include that as a key comparison like
source_json.eventCode=4732 not group="source_json.eventCode ā¦ . . "
David
1 Like
In my first reply the āwhereā did not get copied
where(action=āMEMBER_ADDED_TO_SECURITY_GROUPā AND group=āenterprise adminsā)
yes, adding another group should work. Make sure you pull from the correct logs. Active Directory Admin Activity in my case.
1 Like
Hi Rodrigo,
I do have a couple of things to add to what Andy and David mentioned that I think might help you.
First, we have a series of blogs on Log Search that you might find useful as a resource. I think that they might answer some of your questions: The first one is at Your Guide to Log Search in Rapid7's SIEM Solution, InsightIDR. From it, you can continue to the next two blogs in the series.
Next, as David mentioned, when you are running your query, you can group inside the where () statement. That is, you could say:
where(action=āMEMBER_ADDED_TO_SECURITY_GROUPā AND group_scope=āSECURITY_ENABLED_DOMAIN_LOCAL_GROUPā AND (group=āaccount operatorsā OR group=ābackup operatorsā OR group="my domain local groupā))
Another way to run this same search is to switch into regular expression. That is explained here: Using Regular Expression to Expand Your Log Search Options. A query using regular expression would use the pipe ("|") to replace the OR quantifiers and would look like this:
where(action=āMEMBER_ADDED_TO_SECURITY_GROUPā AND āgroup_scopeā = āSECURITY_ENABLED_DOMAIN_LOCAL_GROUPā AND group=/backup operators|account operators|lab - domain local security group/i)
Also, Log Search is case sensitive by default, so when you specify your groups, you either have to use the Loose Search feature, Loose Search | InsightIDR Documentation, or use regular expression and specify that you want a case-insensitive search with the lowercase āiā, or just type them in lower case since that is how they always show up in Log Search.
In other words, youāll have better luck if you use OR instead of AND for the āgroupā field, and also either specify either a case-insensitive search or just use the same case that you see in Log Search.
I hope this all makes sense and helps you with your searching!
Teresa
3 Likes