NetWitness Community

RogerFeagin · ‎2018-11-30

I'm new to this SIEM and writing rules. How would I write a simple rule to report when changes have been made to GPO?

KennethEvans · ‎2018-11-30

We had a client request for notification when GPO policies were created, edited, or deleted. When studied, these actions cause multiple event log entries. Because of the multiple event log entries, we determined that we needed to use the ESA engine for correlation. The EPL rules we created in ESA are below. They may not be exactly what you need, but they may get you started.

======

module GPOCreated;

@Name('GPO Created')

@RSAAlert

SELECT window(*) FROM Event(

　　　　 medium = 32

　　　　 AND

　　　　 reference_id IN ('5137',’5136’)

　　　　 AND

　　　　 obj_type = 'grouppolicycontainer'

　　　　 AND

　　　　 (ec_activity = 'create' OR cast(action, string) LIKE '%Value Deleted%'))

　　　　 .std:groupwin(obj_type).win:time_batch(20 seconds)

　　　　 GROUP BY obj_type;

======

module GPOEdited;

@Name('GPO Edited')

@RSAAlert

SELECT window(*) FROM Event(

　　　　 medium = 32

　　　　 AND

　　　　 reference_id = '5136'

　　　　 AND

　　　　 obj_type = 'grouppolicycontainer'

　　　　 AND

　　　　 cast(action, string) LIKE '%Value Deleted%')

　　　　 .std:groupwin(reference_id, obj_type).win:time_batch(20 seconds)

　　　　 GROUP BY reference_id, obj_type;

======

module GPODeleted;

@Name('GPO Deleted')

@RSAAlert

SELECT window(*) FROM Event(

　　　　 medium = 32

　　　　 AND

　　　　 reference_id = '5141'

　　　　 AND

　　　　 obj_type = 'grouppolicycontainer'

　　　　 AND

　　　　 cast(action, string) LIKE '%Tree Delete%')

　　　　 .std:groupwin(reference_id, obj_type).win:time_batch(20 seconds)

　　　　 GROUP BY reference_id, obj_type;

MelissaRaney · ‎2018-11-30

I’m OOO traveling today but will get with you Monday.

RogerFeagin · ‎2018-11-30

I am getting this error.

JoshRandall · ‎2018-11-30

The single quotes around 5136 are *different* (they have a name, I'm sure, but I have no idea what those kinds of single-quote-like marks are called). Compare those to the marks around 5137:

Replace those *other* ones with normal single quotes and you should be good.

Mr. Mongo

RogerFeagin · ‎2018-11-30

Unfortunately that didn't work. I used the same single quote for both.

RogerFeagin · ‎2018-11-30

I'm getting the same error with this one as well

KennethEvans · ‎2018-11-30

Control characters can be hidden ones. Try pasting the contents into a plain text editor, like Notepad (but NOT Word) and then pasting back into the rule editor.
The earlier comments about the single quotes are correct, you want the single quote on the same key as the double quote key, not the tick mark that is on the tilde key. I think you corrected that, sorry it was posted incorrectly.
This won't cause your error but I noticed in your first graphic for the GPO Created rule that you dropped the GROUP BY clause.

I don't have access to a lab environment right now, but these were taken straight from a client report, so they should work.

RogerFeagin · ‎2018-11-30

This is copied and pasted to Notepad ++ and copied into Netwitness. I'm stumped

JoshRandall · ‎2018-11-30

Yea….that's really weird. I'm even able to copy/paste directly from the first reply straight into NW..

Anyway, try importing these into your ESA.

Mr. Mongo

NetWitness Community

GPO Rule