Monitoring Groups and Users

• Purpose: Ensure comprehensive visibility and security monitoring for critical user groups (Privileged, VIP, and Sensitive) within the Active Directory environment.

• Why: Identify unmonitored groups to activate enhanced security protocols. Classifying these users allows the SIEM to apply extra designated detection rules specific to each group's unique risk profile

Quick Guide

• Monitoring Groups

• The Risk Factor

• Objectives

• Actions

• Conclusion

• Troubleshooting

Detailed Guide

Overview

This use case establishes a framework for identifying and tracking high-risk Active Directory groups. Through tactical classification of these assets, the SOC can establish specific behavioral norms, and ensure that alerts involving these groups receive immediate, high-priority attention.

Monitoring Groups

Notably, default Windows administrative groups are pre-integrated into this monitoring scope.

1️⃣ VIP USERS

• Persona: C-Level (CEO, CFO), Board Members, and High-Visibility Directors.

• Objective: Prevent data leakage and account takeover.

• List:
  /All Active Lists/Mobula/Enrichment & Inventory/Users/Users in Groups/VIP Users Accounts-Multi

• Detection Rules:

  • Avanan - Phishing to VIP User

  • Account from VIP Group Change Password

  • Account from VIP Group Locked Out

  • Account from VIP Group Disabled

  • Account from VIP Group Deleted

2️⃣ PRIVILEGED USERS

• Persona: Domain Admins, DevOps, IT Support, and Service Accounts.
  Objective: Prevent Domain Dominance and unauthorized infrastructure changes.

• List:
  /All Active Lists/Mobula/Enrichment & Inventory/Users/Users in Groups/Privilege Users Accounts-Multi

• Detection Rules:

  • Multiple Failed Logins by Privileged User

  • Interactive Login by Privileged User

  • Privileged Account Password Changed

  • Privileged Account Locked Out

  • Privileged Account Disabled

  • Privileged Account Deleted

  • Privilege SeMachineAccountPrivilege Abuse

3️⃣ MONITORED USERS 

• Persona: Contractors, users under HR investigation, or accounts with temporary high-risk access (Users of Interest).

• Objective: Close observation of "at-risk" identities.

• List:
  /All Active Lists/Mobula/Enrichment & Inventory/Users/Users in Groups/Monitored Users Accounts-Multi

• Detection Rules:

  • Account from Monitoring Group Change Password

  • Account from Monitoring Group Disabled

  • Account from Monitoring Group Deleted

The Risk Factor

Groups in Active Directory are the primary mechanism for granting access. Attackers target these groups to:

1. Escalate Privileges: Adding a user to a privileged group is a common persistence technique (MITRE ATT&CK T1098).

2. Lateral Movement: Using compromised credentials of a group member to access restricted servers.

3. Data Exfiltration: Accessing sensitive files available only to specific departments.

Objectives

• Enhanced Visibility:
  Ensure every addition, removal, or modification to a sensitive group triggers an alert.

• Behavioral Monitoring:
  Detect anomalous logins or process executions by members of these groups.

Actions 

• Verify data collection via the ADEnrichment tool, to see the status of the ADE data -
  /All Active Lists/Mobula/Enrichment & Inventory/Groups/ADE Group Last Status 

• Add users to monitor group manually -
  
  

1. Locate Connector Server: Access the server designated for connectors.

2. Open Cygent: Right-click the Cyray logo in the bottom-right taskbar.

3. Navigate to Configs: Select Configs and then choose ADE Groups.

4. Edit CSV: A CSV Editor will open. Add the GroupName and GroupType.

3. • Accepted Types: Privileged, VIP, or Monitored.

   • Example: To monitor VPN access, add the group name (e.g., "VPN_Users") and set the type to Privileged

5. Save: Use "Save Current File" to apply changes.

Conclusion

Effective security monitoring begins with knowing who and what to watch. By proactively defining and maintaining a list of Monitoring Groups via Active Directory, the SOC gains the context needed to distinguish between a routine IT task and a critical security breach. Implementing this use case ensures that the organization's most powerful and sensitive accounts are never left unguarded.

Troubleshooting

• Groups not updating:
  Ensure the groups.csv file in C:\Program Files\CyRay\ADEnrichment is being populated correctly by the script.

• For any problem, you can contact us at mobulasupport@cyray.io.