This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Rules which will alert every login with domain-admin account (built-in local administrator accounts as well)

ONaqellari
Contributor
Contributor

‎2021-12-16 08:46 AM

Dear community, i'm trying to build or to deploy (if possible) rules which will alert every login with domain-admin account (built-in local administrator accounts as well) .

Please can anyone help ?

Thank You

0 Likes
2 REPLIES 2

ChrisIchelson
Occasional Contributor
Occasional Contributor

‎2021-12-22 08:29 AM

Best way I have found to create a rule that is effective is to first find the traffic that you are looking to alert on.  Once you find that data then you can find the appropriate meta that would fire associated with the traffic.  This way you can also include your not statements as well so you don't accidentally create a rule that fires thousands of alerts within seconds on accident.

 

Username contains "identifier" && Context contains 'privilege escalation' && _____________.  (example not assumed correct)

0 Likes

ChrisIchelson
Occasional Contributor
Occasional Contributor
In response to ChrisIchelson

‎2021-12-22 08:32 AM

You could also use this methodology and the reporting engine within netwitness as another solution to report against this activity.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.