Most of the time User Behavior rules are not configurable and SIEM user guides contain notifications like “If you edit those rules, they might not work as expected.”
This “Quick Guide” was created to have you develop user behavior rule and then edit, configure and modify those rules.
- First simple user behavior rule: “Executive Only Asset Accessed by Non-Executive User” was selected.
We will implement this rule with LOGTITAN SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by LOGTITAN
Step 1: Update lists
- Executive Only Assets
- Executive Users
Step 2: Control if the asset is executive only and the user is not executive.
Rule development is quick and easy, so you can get started in minutes.
- Second simple user behavior rule: “A user is added to an administrative group and then removed from the group within 15 minutes.” was selected.
We will implement this rule with LOGTITAN SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by LOGTITAN
Step 1: Use 4732,4728 security event IDs for “user is added to an administrative group” part of the rule within Windows® operating system.
Step 2: Use 4733,4729 security event IDs for “user is removed from an administrative group” part of the rule within Windows® operating system.
Step 3: Create logic between Step 1 and Step 2.
Step 4: Link users between Step 1 and Step 2.
LOGTITAN Rule Editor