hello,
i have been trying to write a customized rule that sends an alert to my email when a local account has been used, although I only managed to get the alert but without details of which local account has been used and what actions it took, however i would like to have all this information summarized in the email notification sent.
kindly share with me a logic I could use.
thank you.
Hi @latyang,
What behaviour are you trying to monitor when you ask for “been used”?
Best Regards!
Miguel.
1 Like
@latyang do you mean that you have created a Custom Alert based on Pattern Detection? Or have you done it in another way?
For the Custom Alerts we have created on Pattern Detection we do get the log line that triggered the alert.
So it does contain all information that is available to the IDR detection engine.
In some cases it can be extensive log information but in other cases limited information but that all depends on which logs you are looking at.
As an example we have an alert looking at patterns in DHCP logs.
That generates something like this:
InsightIDR has reported the following incident for DHCP Detection:
CUSTOM ALERT - PATTERN DETECTION
Custom Alert DHCP Detection was triggered for log DHCP Logs in log set Host To IP Observations
Triggered by log line:
{
“timestamp” : “2023-09-20T06:12:34.000Z”,
“asset” : “assetname.domain.local”,
“action” : “OBTAIN”,
“host” : “assetname.domain.local”,
“client_mac” : “a1:b2:c3:d4:e5:f6”,
“ip” : “xxx.xxx.xxx.xxx”,
“observation_status” : “ACKNOWLEDGED”,
“source_data” : “10,09/20/23,08:12:34,Assign,xxx.xxx.xxx.xxx,assetname.domain.local,A1B2C3D4E5F6,xxxxxxxxxxxxxx,0,0x4zzzzzzzzzzzzzzzzzzzz,MSFT 5.0,0”,
“r7_context” : {
“asset” : {
“type” : “asset”,
“rrn” : “rrn:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“name” : “assetname.domain.local”
}
}
}
For details, see the full incident report.
The InsightIDR Team