-
|
Hello, I'm trying to create a Playbook that'll send out an Alert when a user is added to the Domain Admins-group (SID ending with -512). The main part of the rule is that it should query for this: However, the Playbook does not run. When I check the Elastalert, it'll show me: When I remove the .security part in the TargetSid.security: "-512", the query will work fine in Kibana. It seems like the .security subfield is missing on the winlog.event_data.TargetSID field... What is the best approach to this? Or am I missing something altogether..? ### EDIT: When I check the Field Statistics in Kibana, the winlog.event_data.TargetSid.security field is actually there! And it contains the correct SID. However, I can't seem to get the filter to look for the trailing "-512" at the end of it... |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
THIS Q&A CAN BE CLOSED! I found it. Mistake on my own side... I had to use: The sigma rule I made included a double " and the ElastAlert replaced it with a '*-512' instead!. Fixed! |
Beta Was this translation helpful? Give feedback.
THIS Q&A CAN BE CLOSED!
I found it. Mistake on my own side... I had to use:
(event.code.security:"4728" AND winlog.event_data.TargetSid.security:*-512)
The sigma rule I made included a double " and the ElastAlert replaced it with a '*-512' instead!. Fixed!