Most of the time User Behavior rules are not configurable and SIEM user guides contain notifications like “If you edit those rules, they might not work as expected.

This “Quick Guide” was created to have you develop user behavior rule and then edit, configure and modify those rules.

  • First simple user behavior rule: “Executive Only Asset Accessed by Non-Executive User” was selected.

We will implement this rule with LOGTITAN SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by LOGTITAN

Step 1: Update lists

  • Executive Only Assets
  • Executive Users

 

Create User Behavior Rule With LOGTITAN NG SIEM

 

Step 2: Control if the asset is executive only and the user is not executive.

 

Create User Behavior Rule With LOGTITAN NG SIEM

Rule development is quick and easy, so you can get started in minutes.

 

 

  • Second simple user behavior rule: “A user is added to an administrative group and then removed from the group within 15 minutes.” was selected.

We will implement this rule with LOGTITAN SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by LOGTITAN

Step 1: Use 4732,4728 security event IDs for “user is added to an administrative group” part of the rule within Windows® operating system.

Step 2: Use 4733,4729 security event IDs for “user is removed from an administrative group” part of the rule within Windows® operating system.

Step 3: Create logic between Step 1 and Step 2.

Create User Behavior Rule With LOGTITAN NG SIEM

 

Step 4: Link users between Step 1 and Step 2.

 

Create User Behavior Rule With LOGTITAN NG SIEM

LOGTITAN Rule Editor