Prerequisites to simulate Ransomware correlation rule in EventLog Analyzer

Prerequisites to simulate Ransomware correlation rule in EventLog Analyzer

Prerequisites to simulate Ransomware correlation rule in EventLog Analyzer:

1) Ensure to add the target machine inside EventLog Analyzer(Product Configuration):
On adding a windows device, the default monitoring interval time is set to "10 minutes" for Windows devices. Execute the below steps to change the monitoring interval to "realtime".
Refer: How to change the monitoring interval? in the above link.

2) Enable the below audit polices and apply SACL on all the target machines(Environmental):

Pushing audit policies/SACL via GPO:
Steps to configure any advanced audit policy setting:   
Setting an advanced audit policy requires administrator-level account permissions or the appropriate delegated permissions.
  • From the Domain Controller, click Start, point to Administrative Tools, and then Group Policy Management.
  • From the console tree, click the name of your forest > Domains > your domain, then right-click on the relevant Default Domain or Domain Controllers Policy (or create your own policy), and then click Edit.
  • Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy, then double-click on the policy setting
"Object Access" -> Enable Success  for the SubCategory "Audit File System"
"Detailed Tracking" -> Enable Success for the SubCategory "Audit Process Creation"
  • Click on "Ok" to save the changes.
 
Force advanced audit policies  
When using advanced audit policies, ensure that they are forced over legacy audit policies.
  • Enable Force audit policy subcategory settings in <YourGPOPolicy>
  • Navigate to Computer Configuration > Windows Settings > Security Settings > Local Polices > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override the audit policy category settings.
 
Steps to configure Folder level auditing permissions:
  • Go to Computer Configuration > Policies > Windows Settings >Security Settings and right-click File System> Add File. The ‘Add a file or folder’ dialog box will display.
  • Locate the folder or file you want to assign permissions to and click on it. Now press OK.
  • Click on "Advanced" -> "Auditing" -> Add -> Enable Create and Delete Permissions.
  • Click on Ok -> Apply -> Ok.
 
Reference Screenshots:
 
 
Security Filtering: To add the target machines for whom these policies/SACL needs to be pushed.
  • Select the appropriate GPO which you have created and navigate to "Security Filtering". Under "Security Filtering", Click Add and Choose the Security group/computers to push the changes.
 
3) Please enforce the policy and check the target machine to confirm if the required policies are in place.
  • On the target machine, open a cmdprompt with admin mode > type the below command to check the status,
 
auditpol /get /category:*
Check if the below highlighted audit policies are enabled:
 
Also, confirm if the required SACL's are in place. Manually access the folder's properties -> Advanced -> Auditing to confirm the same,
 

 
Permissions Enabled: Create / Delete Function

4) If point 3 is true, then whenever there's a ransomware pattern created, the relevant logs from Event viewer will be captured by EventLog Analyzer to trigger an alert or notification.
Reference:

(Docx and PDF file attached)



Reference Ticket ID: #6666173
Note: We got confirmation from the client that the steps were implemented successfully.
 
 
 
        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                  See all integrations
                  New to ADManager Plus?
                  See all integrations
                  New to ADManager Plus?

                    New to ADSelfService Plus?

                    Start your free trial
                    Start your free trial

                      • Related Articles

                      • Introduction to EventLog Analyzer

                        What is log management?  An enterprise network consists of different entities—perimeter devices, workstations, servers, applications, and more. Each entity records every activity that unfolds within it in the form of logs. These logs hold information ...

                      • Enabling historic log collection in EventLog Analyzer

                        EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below: Navigate ...

                      • How to upgrade the EventLog Analyzer Agent?

                        Usually, an agent upgrade would happen automatically if the credentials provided for agents under the "Manage agents" section are valid or has the appropriate rights for accessing services or logs in the agent machine. However, in recent builds ...

                      • How to deploy EventLog Analyzer as a service?

                        EventLog Analyzer as a service can be deployed in two ways:   Via the command prompt: Establish a remote connection with the server where EventLog Analyzer is installed. Open the command prompt with Admin privileges. Navigate to ...

                      • How to backup and restore an EventLog Analyzer instance?

                        Backup Process: IMPORTANT: A backup of EventLog Analyzer should not be taken when the instance is running. Stop the ManageEngine EventLog Analyzer service. Open a command prompt with admin privileges. Navigate to <dir>:\ManageEngine\EventLog ...

                        Related Products