Skip to main content

So I am writing few rules for detcting windows events.

The first one is : 

rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"

  outcome:
    $risk_score = max(20)

  condition:
    $e
}



Any suggestions? so as how to do this. Like what details can I include and how to proceed. 
@AymanC  @jstoner 

Hi @anurag.q.singh

If you're only trying to capture Event Type 4734 events, the above rule would satisfy that requirement.

Kind Regards,

Ayman C

rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"
    $e.principal.user.userid = $user
    $e.target.group.windows_sid = $sid
    $e.target.group.group_display_name = $group_name


  outcome:
    $risk_score = max(20)  

    $alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID  '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain))

  condition:
    $e
}


can'/t I change if the group deleted correspond to the critical local or domain security groups like built-in local administrators group, domain admins, enterprise admins, etc.and if it has then assign a higher risk score. If possible then which field should I check and how to do this?


@AymanC 
rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"
    $e.principal.user.userid = $user
    $e.target.group.windows_sid = $sid
    $e.target.group.group_display_name = $group_name


  outcome:
    $risk_score = max(20)  

    $alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID  '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain))

  condition:
    $e
}


can'/t I change if the group deleted correspond to the critical local or domain security groups like built-in local administrators group, domain admins, enterprise admins, etc.and if it has then assign a higher risk score. If possible then which field should I check and how to do this?


@AymanC 

Hey  @anurag.q.singh 

You can try a combination of Lists and If() statements in the `Outcome:` section. Create a List of all High priority Security groups. Then, make your $risk_score dynamic by adding the following in the Outcome section:

 $risk_score = sum(45 + if($group_name in %High_Priority_Security_Groups, 55, 0))

So your rule would be:

 

rule A_security_enabled_local_group_was_deleted {

meta:
author = "ABC"
description = "This event generates every time a new security-enabled local group was deleted."
severity = "Low"

events:
$e.metadata.vendor_name = "Microsoft"
$e.metadata.product_event_type = "4734"
$e.principal.user.userid = $user
$e.target.group.windows_sid = $sid
$e.target.group.group_display_name = $group_name


outcome:
//$risk_score = max(20)
$risk_score = sum(45 + if($group_name in %High_Priority_Security_Groups, 55, 0))
$alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain))

condition:
$e
}

 

 
 
 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.