I have a series of 4 events being generated when the Lenovo Update application runs on a Windows computer.
- Create account lenovo_tmp_####$$$$ (eventID 4720)
- Enable account lenovo_tmp_####$$$$ (eventID 4722)
- Add lenovo_tmp_####$$$$ to local administrators group (eventID 4732)
- Delete lenovo_tmp_####$$$$ (eventID 4726)
The 3rd event generates an alert in Kibana under the rule "User Added to Privileged Group". This is a correct rule application, but since this is a known process, I would like to filter out these events
Events 1, 2, and 4 contain both the account name and the random SID generated by the process. Event 3, which generates the alert, only contains the random SID. I could filter on the name match for lenovo_tmp_*, but that information isn't included in the triggering event.
The time between event 1 and event 3 can be as little as .03 seconds. And this process can happen multiple times per day per machine. I am generating several hundred alerts per day through this process.
I am running cloud Kibana with current stack. Windows events are being sent via subscription to a single server and winlogbeats 8 is running on the server to transfer the log files.
We don't have the option of replacing all the Lenovo devices.
How can I apply a rule exception to this event when the SID is random and there's no other relevant information included in the event to filter on?