Hi Team,
I am trying create a new correlation rule for a series of evenid's . I have replicated the scenario in my lab. When a threat actor creates a new account by copying existing admin account and assiging new name etc.. we should get alert. Here is the eql query I have written:
sequence by organization.id, user.target.id with maxspan=5m
[ any where event.type == "4724" ]
[ any where event.type == "4738" ]
[ any where event.type == "4722" ]
[ any where event.type == "4720" ]
or even
sequence by organization.id, user.target.id with maxspan=5m
[ any where event.action == "An attempt was made to reset an account's password" ]
[ any where event.action == "A user account was changed" ]
[ any where event.action == "A user account was enabled" ]
until [ any where event.action == "A user account was created" ]
I dont see any alerts coming even though I have generated traffic. KIndly suggest if I need to correct something.