This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Alerting on Active Directory group name

Anonymous
Not applicable

‎2019-11-27 11:03 PM

I'm trying to work on alerting to changes to groups in Active Directory like the Domain Admins group.

I can see the event in investigate, I can also see the group name 'Domain Admins' is in the event, but I noticed that the icon looks different to other meta keys, and in investigate it appears that the group meta key doesn't work either.

 

I assume that the meta key 'Group' is not defined properly somewhere.

 

pastedImage_1.png

0 Likes
2 REPLIES 2

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-11-28 12:06 AM

Jeremy

 

It appears as if ‘group’ is not indexed. That however should not matter for ESA.

 

Do you know if you have defined it in the index-concentrator-custom file?

 

Dave

0 Likes

Anonymous
Not applicable
In response to DaveGlover

‎2019-11-28 05:43 PM

Hi Dave,

It's not defined in the custom concentrator file, but for my use case, I don't think it will matter.

I was just doing some testing and what I want to do if maintain a list of groups that I want to be alerted on if their group membership changes.

I tested the generation of meta on the alert key with an app rule successfully, which I'll then create a workflow to action upon.

Thanks.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.