SIEM Visualization Example 4: Users Added or Removed from a Local Group

In this example, we will create a SIEM visualization to monitor user additions or removals from the local "Administrators" group within a specific timeframe (March 5th, 2023, to the present). This type of monitoring is critical for detecting unauthorized changes to privileged groups, which could indicate malicious activity or misconfigurations.

Step 1: Accessing the Dashboard

  1. Spawn the Target System:

    • Navigate to the bottom of the section and click on "Click here to spawn the target system!".

  2. Access Kibana:

    • Open your browser and navigate to http://[Target IP]:5601.

    • Click on the side navigation toggle and select "Dashboard".

  3. Edit the Prebuilt Dashboard:

    • A prebuilt dashboard should be visible. Click on the "pencil"/edit icon to modify it.

  4. Create a New Visualization:

    • Click on "Create visualization" to begin building the new visualization.

Step 2: Configuring the Visualization

Key Elements to Configure

  1. Filter Data:

    • Use the filter option to narrow down the data to only include events related to user additions or removals from the local "Administrators" group.

    • Add the following filters:

      • event.code: (4732 OR 4733) (Windows event IDs for adding/removing members from security-enabled local groups).

      • group.name.keyword: Administrators (Ensures the action involves the "Administrators" group).

      • @timestamp >= "2023-03-05T00:00:00.000Z" (Limits the data to events occurring from March 5th, 2023, onward).

  2. Select the Index Pattern:

    • In the Index pattern field, specify windows* to focus on Windows-related logs.

  3. Verify Fields:

    • Use the search bar to confirm the presence of fields like:

      • winlog.event_data.MemberSid.keyword (The SID of the user being added/removed).

      • group.name.keyword (The name of the group involved in the action).

      • event.action.keyword (Indicates whether the user was added or removed).

      • host.name.keyword (The machine where the action occurred).

  4. Choose Visualization Type:

    • From the dropdown menu, select "Table" as the visualization type.

Step 3: Building the Table Visualization

  1. Configure Rows:

    • Click on "Rows" and configure the following fields to enhance understanding:

      • Field: winlog.event_data.MemberSid.keyword (Which user was added/removed?).

      • Field: group.name.keyword (To which group was the addition/removal performed? Double-check that it is the "Administrators" group).

      • Field: event.action.keyword (Was the user added or removed?).

      • Field: host.name.keyword (On which machine did the action occur?).

  2. Add Metrics:

    • Click on "Metrics" and select "Count" as the metric.

    • The table will populate with data showing the count of additions/removals per user, group, and machine.

  3. Save the Visualization:

    • Click on "Save and return" to add the visualization to the dashboard..

Step 4: Final Visualization

After completing the configuration, the final visualization will include:

  1. Columns:

    • User: Displays the SID of the user being added or removed (winlog.event_data.MemberSid.keyword).

    • Group: Shows the name of the group involved in the action (group.name.keyword).

    • Action: Indicates whether the user was added or removed (event.action.keyword).

    • Machine: Displays the hostname where the action occurred (host.name.keyword).

    • Count: The number of times the event has occurred (based on the specified timeframe).

  2. Filters:

    • Only events with event.code: (4732 OR 4733), group.name.keyword: Administrators, and @timestamp >= "2023-03-05T00:00:00.000Z" are included.

  3. Sorting:

    • Sort the table by the timestamp (@timestamp) in descending order to prioritize recent events

    • .

Step 5: Review and Save

  1. Review the Dashboard:

    • Navigate back to the Dashboard page to view the new visualization.

    • Ensure that the table displays accurate and actionable insights.

  2. Save the Dashboard:

    • Click on the "Save" button to save your progress.

Key Takeaways

  1. Monitor Privileged Group Changes:

    • Changes to the local "Administrators" group can have significant security implications. Monitoring these changes helps detect unauthorized access or privilege escalation attempts.

  2. Leverage Event Logs:

    • The event.code: 4732 and event.code: 4733 logs provide critical information about additions and removals from security-enabled local groups.

  3. Visualization Enhances Clarity:

    • Using a table visualization allows SOC analysts to quickly identify patterns, such as repeated additions/removals on specific machines or involving specific users.

  4. Best Practices:

    • Use .keyword fields for aggregations to ensure accurate results.

    • Regularly refine filters to exclude irrelevant data and reduce noise.

    • Combine visualizations into dashboards for a comprehensive view of security events.

Example Use Case

  • Scenario: An attacker gains administrative privileges by adding their account to the local "Administrators" group. This generates an event with event.code: 4732 and group.name.keyword: Administrators.

  • Action: The SOC team can use this visualization to:

    • Identify unauthorized additions to privileged groups.

    • Investigate the source of the change (e.g., specific machines or users).

    • Revert unauthorized changes and strengthen access controls.

By following these steps, you can create a robust visualization for monitoring user additions or removals from the local "Administrators" group, enabling your SOC team to proactively detect and respond to potential threats.

Last updated