Skip to main content

Use CasesConfigure Threat Detection, Investigation, and Response (TDIR) Use Case Categories

Configure the Account Manipulation Use Case

Configure Exabeam Security Operations Platform to protect your environment against the Account Manipulation use case. Ensure that you collect the right data, set up investigation tools, enable response mechanisms, and import relevant Data Lake reports.

To protect against a use case, you might follow an end-to-end workflow that looks like:

  • Collect – Ensure that you bring in the correct logs for the use case and that all fields populate.

  • Detect – Use out-of-the-box rules and models to identify suspicious activity.

  • Investigate – Ask important questions about the data from log sources, rules, and models.

  • Respond – Isolate, neutralize, eliminate, and mitigate any threats you find.

  • Report – Gather all the evidence in a report so you can share your investigation with others or use for compliance purposes.

Let's configure everything you need to successfully follow each stage of this workflow.

Collect

Collect the data needed to investigate the Account Manipulation use case and ensure all context tables are populated correctly.

  • Ensure that you contacted Exabeam Customer Success and they helped you onboard and validate the log sources needed to implement the Account Manipulation use case.

  • Ensure that you have specific out-of-the-box context tables:

    • user_is_privileged

    • user_account

    • user_is_executive

  • Create a custom context table for network zones.

  • Ensure that users and assets have the correct labels based on the context tables. For example, if a user is in the user_is_privileged context table, navigate to the user's profile to verify they have the privileged label.

Detect

Ensure you have all mechanisms in place, like rules, models, watchlists, and Threat Hunter searches, to successfully identify suspicious activity.

Rules and models

Validate out-of-the-box rules and models to ensure you accurately detect anomalous activity.

  • Import the latest content packages on the Exabeam Community. These content packages contain the latest rules and models, which aren't available to install in Content Updates settings. You must download them from the Exabeam Community, then import them.

  • Ensure that related rules and models are triggering correctly.

Threat Hunter searches

To quickly search for events that may indicate an attacker is manipulating accounts, create and save the suggested Threat Hunter search queries.

Threat Hunter search

Search criteria

User's first time managing an account

  • Reasons:

    • A-AC-DhU-system-F

    • A-AM-DhU-system-F

    • A-GM-DhU-system-F

    • AC-LocUA-F

    • AC-LocUA-F-new

    • AC-UH-F

    • AM-GA-new

    • AM-OLocU-F

    • AM-OLocU-F-new

    • AM-OU-SS-F

    • AM-UA-AC-F

    • AM-UA-AD-F

    • AM-UA-MA-F

    • AM-UD-F

    • AM-UH-F

    • GM-LocUA-F

    • GM-LocUA-F-new

    • GM-UH-F

    • A-AM-DhU-system-F

  • Dates – Last 7 days

Device's first time managing an account

  • Reasons:

    • AC-OH-F

    • AM-OH-F

    • AM-UH-F

    • GM-UH-F

    • A-AM-DhU-system-F

  • Dates – Last 7 days

Accounts created or modified from a command-line interface (CLI)

  • Reasons:

    • AC-OH-CLI-F

    • AC-OU-CLI-F

    • AC-OZ-CLI-F

    • NET-EXE-ACTIVE-ORG-A

    • NET-EXE-ACTIVE-ORG-F

    • NET-EXE-ADD-GRP-ORG-A

    • NET-EXE-ADD-GRP-ORG-F

    • NET-EXE-ADD-ORG-A

    • NET-EXE-ADD-ORG-F

    • NET-EXE-DELETE-ORG-A

    • NET-EXE-DELETE-ORG-F

  • Dates – Last 7 days

Privileged groups or users who managed accounts

  • Reasons:

    • MA-PRIV-A

    • MA-PRIV-F

    • MA-PRIV-F-local

  • Dates – Last 7 days

Executive users who managed accounts

  • User Labels – executive

  • Activity Types – Account Management

  • Dates – Last 7 days

Abnormal directory service account activity

  • Reasons:

    • DS-GCount

    • DS-GH-A

    • DS-GH-F

    • DS-GOC-A

    • DS-GOC-F

    • DS-GSZ-A

    • DS-GSZ-F

    • DS-OAT-A

    • DS-OAT-F

    • DS-OG-F

    • DS-OH-A

    • DS-OH-A

    • DS-OH-F

    • DS-OOC-A

    • DS-OOC-A

    • DS-OSZ-A

    • DS-OSZ-F

    • DS-OU-F

    • DS-UAT-A

    • DS-UAT-F

    • DS-UCount

    • DS-UH-A

    • DS-UH-F

    • DS-UOC-A

    • DS-UOC-F

    • DS-USH-A

    • DS-USH-F

    • DS-USZ-A

  • Dates – Last 7 days

Users who granted abnormal mailbox permissions

  • Reasons:

    • EM-InB-Ex

    • EM-InB-Perm-A

    • EM-InB-Perm-N-A

    • EM-InB-Perm-N-F

  • Dates – Last 7 days

Configure Settings to Search for Data Lake Logs in Advanced Analytics

If you have an on-premises deployment, ensure that you configure certain Advanced Analytics settings so you can search for Data Lake logs from a Smart Timelines™ event.

If you have a cloud-delivered product offering, ensure that you configure Data Lake as a log source.

Investigate

Ensure you have the tools you need, like tasks and incident types, to investigate the evidence you collect from log sources, rules, and models.

Case Manager Incident Type

In Case Manager, ensure that you have the out-of-the-box Account Manipulation incident type, or create one if it isn't available out-of-the-box in your Exabeam version. Ensure the incident type has all corresponding incident fields.

Case Manager Tasks and Phases

In Case Manager, define a clear response plan to ensure everyone across your organization responds to an Account Manipulation incident consistently. Under each phase, prescribe the relevant tasks for investigating, containing, and remediating an Account Manipulation incident.

The out-of-the-box Account Manipulation incident type comes with suggested phases and tasks. If you don't have the out-of-the-box Account Manipulation incident type, create the following suggested phases and tasks for your custom Account Manipulation incident type.

Phase: Detection & Analysis

  1. Task name – Identify suspicious activity

    Task instruction:

    • Determine if anybody riskily and anomalously created or modified accounts.

    • Determine if anybody riskily and anomalously modified groups or permissions. In Active Directory, you can get many rights as group member or by inheriting permissions.

    • If there are risky and anomalous account, group, or permission changes, find evidence that someone is using or misusing those rights.

    • Based on the privileged account's rights, possible systems involved, and potential data accessed, determine what this suspicious activity impacts.

  2. Task name – Review the user's profile

    Task instruction:

    • Determine which user, account or group was created or modified.

    • Determine if the account or group is privileged. If it is, complete the tasks for privileged activity incidents.

    • Determine if the activity on the account is consistent with the account's intended function and role.

    • Determine if any tickets approved this activity.

  3. Task name – Analyze and scope

    Task instruction:

    • Detmermine what systems, like workstations and servers, are involved.

    • Determine if the potentially impacted systems are critical business or infrastructure systems.

    • Determine if the systems involved contain critical, confidential, restricted, or controlled information.

    • Retrospectively search for and identify other potentially impacted systems, accounts, or groups.

    • Determine when the anomalous activity started.

    • Find evidence that the account is compromised. If you find evidence, determine who compromised the account.

    • Determine if the attacker could use the same vulnerability again to compromise another account or system.

  4. Task name – Proactively monitor impacted users and systems

    Task instruction – Add the systems and users to a watchlist to proactively monitor them.

  5. Task name – Reassess the severity of the incident

    Task instruction – If appropriate, edit the incident priority.

Phase: Containment

  1. Task name – Tell the SOC Manager about the incident

    Task instruction:

    • If needed, inform your SOC Manager of the incident and include the incident's expected start and end date.

    • Determine whether additional team members or teams, like HR, Legal, or Physical Security, must get involved.

  2. Task name – Determine adequate response measures to contain the threat

    Task instruction:

    • Disable the accounts that made unauthorized changes.

    • Quarantine systems to prevent anybody from accessing them. Inform any business and asset owners as needed.

    • For any suspicious accounts, ensure their access is disabled, including access to VPN or SSO.

Phase: Eradication

  1. Task name – Preserve logs for impacted systems and users

    Task instruction:

    • Retrieve and preserve Data Lake logs associated with the user from the expected start to the present.

    • Upload the Data Lake logs to the incident.

    • If there's possible nefarious intent, obtain a forensic image of the system or isolate the physical machine from the network.

  2. Task name – Remediate

    Task instruction – Manually remove remnants like files, Microsoft registry keys, and autostart services, or re-image the impacted systems using the latest enterprise image and updated software patches.

Phase: Recovery

  1. Task name – Proactively check systems.

    Task instruction:

    • Validate systems are running as expected.

    • Analyze and review accounts for suspicious activity.

    • Ensure security monitoring tools are installed on the endpoint.

  2. Task name – Implement relevant global security measures

    Task instruction:

    • Implement security measures to prevent a similar incident from happening.

    • Depending on the risk and if it's appropriate, separate rights into multiple privileged accounts.

    • Add additional controls or monitoring to the affected privileged accounts.

Phase: Post-Incident Activity

  1. Task name – Update documentation

    Task instruction:

    • Ensure the incident contains documentation of all relevant events and actions taken.

    • Identify methods to improve the team’s response to future incidents.

  2. Task name – Hold post-mortem meeting

    Task instruction:

    • Meet with your team. Review the incident and lessons learned.

    • Document and track administrative and technical gaps identified during the incident.

Case Manager Incident Email Communication

To collaborate on an incident with people across your organization, ensure that you configure incident email communication.

Respond

Enable response mechanisms you need to isolate, neutralize, eliminate, and mitigate any threats you find.

In Incident Responder, create triggers for all turnkey playbooks.

Report

To share your investigation with others or for compliance purposes, ensure you have the relevant out-of-the-box Data Lake reports:

  • Exabeam - Access Grant and Revoke Activity

  • Exabeam - Account Management Activity

  • Exabeam - Default Account Access

  • Exabeam - Policy Activity Summary

  • Exabeam - Unix User Privilege Elevation

  • Exabeam - User Account Creation Summary

  • Exabeam - Windows User Privilege Elevation