Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alerts
The following rules are used to identify suspicious activity related to security-enabled group. Any one or more of these will trigger suspicious Activity Related to Security-Enabled Group Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Security-Enabled Universal Group was Created |
A Security-Enabled Universal Group has been created. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4754}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Security-Enabled Global Group was Created |
A Security-Enabled Global Group has been created. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4727}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Member Added to Security-Enabled Universal Group |
A member was added to a Security-Enabled Universal Group. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4756}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Security-Enabled Local Group was Created |
A Security-Enabled Local Group has been created. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4731}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Security-Enabled Local Group was Deleted |
A Security-Enabled Local Group has been deleted. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4734}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Security-Enabled Universal Group was Deleted |
A Security-Enabled Universal Group has been deleted. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4758}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Security-Enabled Global Group was Deleted |
A Security-Enabled Global Group has been deleted. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4730}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|