A Quick Guide to Help You Understand and Create User Behavior Rules With SureLog SIEM -2
This “Quick Guide” was created to have you develop user behavior rules and then edit, configure and modify those rules.
In this second quick guide, another simple user behavior rule: “A user is added to an administrative group and then removed from the group within 15 minutes.” was selected.
We will implement this rule with SureLog SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by SureLog
Step 1: Use 4732,4728 security event IDs for “user is added to an administrative group” part of the rule within Windows® operating system.
Step 2: Use 4733,4729 security event IDs for “user is removed from an administrative group” part of the rule within Windows® operating system.
Step 3: Create logic between Step 1 and Step 2.
Step 4: Link users between Step 1 and Step 2.
