• State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 7569 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Real-Time alert "Group Member Added by Unauthorized Personnel"

jim.cochran
over 7 years ago

Does anyone know how to monitor all groups for a specific OU in Active Directory?

 

Thanks,

jc

Parents
  • 0 over 7 years ago
    Hi jc,

    You should use the function in_OU which is described here documents.software.dell.com/.../functions

    In the advanced rule editor (Matching tab, Advanced button) change the rule in the following way, add Target OU argument into "agruments" section and in_OU handler in the body:

    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Authorized_Groups" name="Authorized_Groups" class="List" description="A list of groups for managing groups in an organization">
    <value></value>
    </argument>
    <argument displayname="Authorized_Users" name="Authorized_Users" class="List" description="A list of user accounts for managing groups in an organization">
    <value></value>
    </argument>
    <argument displayname="Skipped_Target_Groups" name="Skipped_Target_Groups" class="List" description="A list of groups to exclude from monitoring">
    <value></value>
    </argument>
    <argument displayname="Target_Groups" name="Target_Groups" class="List" description="A list of groups to monitor">
    <value>"*\\*"</value>
    </argument>
    <argument displayname="Target_OUs" name="Target_OUs" class="List" description="A list of OUs to monitor">
    <value>"OOUU"</value>
    </argument>
    </arguments>
    <prefilter>
    </prefilter>
    <body>

    def common(OperatorDomain, OperatorName, MemberAccount) :=
    {
    not in( strcat( OperatorDomain, "\\", OperatorName ), "wi", array(<parameter name="Authorized_Users"/>) )
    and not in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Skipped_Target_Groups"/>) )
    and in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Target_Groups"/>) )
    and not is_current_user( OperatorDomain, OperatorName )
    and not member_of( strcat( OperatorDomain, "\\", OperatorName ), array(<parameter name="Authorized_Groups"/>), true )
    and in_OU(OperatorDomain, OperatorName, array(<parameter name="Target_OUs"/>), true )
    and set_alert_field("OperatorName", OperatorName, true)
    and set_alert_field("OperatorDomain", OperatorDomain, true)
    and set_alert_field("MemberAccount", MemberAccount, true)

    }


    (
    (EventID = 632 or EventID = 636 or EventID = 660 or EventID = 655 or EventID = 665 or EventID = 650)
    and striequ( Source, "security" )
    and common(String7, String6, String13)
    )
    or
    (
    (EventID = 4728 or EventID = 4732 or EventID = 4756 or EventID = 4761 or EventID = 4751 or EventID = 4746)
    and common(String8, String7, String12)
    );

    </body>
    </rule>
Reply
  • 0 over 7 years ago
    Hi jc,

    You should use the function in_OU which is described here documents.software.dell.com/.../functions

    In the advanced rule editor (Matching tab, Advanced button) change the rule in the following way, add Target OU argument into "agruments" section and in_OU handler in the body:

    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Authorized_Groups" name="Authorized_Groups" class="List" description="A list of groups for managing groups in an organization">
    <value></value>
    </argument>
    <argument displayname="Authorized_Users" name="Authorized_Users" class="List" description="A list of user accounts for managing groups in an organization">
    <value></value>
    </argument>
    <argument displayname="Skipped_Target_Groups" name="Skipped_Target_Groups" class="List" description="A list of groups to exclude from monitoring">
    <value></value>
    </argument>
    <argument displayname="Target_Groups" name="Target_Groups" class="List" description="A list of groups to monitor">
    <value>"*\\*"</value>
    </argument>
    <argument displayname="Target_OUs" name="Target_OUs" class="List" description="A list of OUs to monitor">
    <value>"OOUU"</value>
    </argument>
    </arguments>
    <prefilter>
    </prefilter>
    <body>

    def common(OperatorDomain, OperatorName, MemberAccount) :=
    {
    not in( strcat( OperatorDomain, "\\", OperatorName ), "wi", array(<parameter name="Authorized_Users"/>) )
    and not in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Skipped_Target_Groups"/>) )
    and in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Target_Groups"/>) )
    and not is_current_user( OperatorDomain, OperatorName )
    and not member_of( strcat( OperatorDomain, "\\", OperatorName ), array(<parameter name="Authorized_Groups"/>), true )
    and in_OU(OperatorDomain, OperatorName, array(<parameter name="Target_OUs"/>), true )
    and set_alert_field("OperatorName", OperatorName, true)
    and set_alert_field("OperatorDomain", OperatorDomain, true)
    and set_alert_field("MemberAccount", MemberAccount, true)

    }


    (
    (EventID = 632 or EventID = 636 or EventID = 660 or EventID = 655 or EventID = 665 or EventID = 650)
    and striequ( Source, "security" )
    and common(String7, String6, String13)
    )
    or
    (
    (EventID = 4728 or EventID = 4732 or EventID = 4756 or EventID = 4761 or EventID = 4751 or EventID = 4746)
    and common(String8, String7, String12)
    );

    </body>
    </rule>
Children
No Data