Trigger workflow when a account is added/remove from AD group

InsightConnect
1

Hi.

Is there a way to monitor our Active Directory logs and trigger a workflow that will add or remove a user from our “watch list” if that user gets add/removed from a specific Active Directory group?

2

Hello @antmar904

I haven’t tried it, but you might be able to get out of the box alerting from the IDR Settings → “Privileged Admin Groups”

image
image2038×972 106 KB

Good luck

3

Thanks. We leverage that already but not what I am looking for.

4

I am not aware of any watch list endpoint in the API docs. You can setup a custom alert, that custom alert can trigger in ICON, but the watchlist piece to my knowledge is not possible via API.

You could have a different watch list hosted in a global artifact within InsightConnect.

I am not sure what you would like to monitor if they are on the watch list, but I am guessing you can do quite a bit of it via ICON.

5

Hi Darrick.

When a user is in the watch list more UEBA rules are applied to that user. We like to add users to and from our watch list when traveling to “higher risk” countries but the add/remove is a manual process.

6

I asked internally if there is an endpoint for the watchlist. If I get a definite yes or no I will let you know. Looking through the API docs I didn’t see any options, but there could be something tucked away that I am not tracking on.

7

A public API for the Watch List does not exist.

8

If you have a way to monitor domain controller security event logs, you can run a search for event id 4728 (user was added to a group) and event id 4729 (user was removed from a group) and then filter the name of the group(s) you want to monitor.

If you are a KQL shop, you would have a scheduled search that is something like:

SecurityEvent
| where TimeGenerated >= ago(24h)
| where EventID == “4728”
| where TargetUserName == “Domain Admins”

For SPL it would be something like this:

index=SecurityEvent EventCode=4728 TargetUserName=“Domain Admins”
| where _time >= relative_time(now(), “-24h@h”)

Regardless of platform, if there is an alert have it setup to send the alert to Workflow with an API trigger.

This might not be completely helpful but hopefully gets you part of the way.

*edit: corrected TimeGenerated as == will not work with the function ago()

1 Like