Summary
This rule watches for new user accounts that are deleted on Windows servers. It will be triggered in case of having a user account deleted on a Windows server.
| Goal | Identifying the new user accounts that are deleted on Windows servers. |
| Trigger | Alert in case of receiving an event from Windows servers indicating that a local/domain user account is deleted. |
| Event Sources | Domain Controllers, Windows Servers |
Rule Conditions
There is a set of conditions that need to be satisfied in order to trigger this rule. These conditions are different in Windows 2003 and 2008 as illustrated in Figures 1 and 2.
Figure 1: Windows 2003 – User Account Deleted
Figure 2: Windows 2008 – User Account Deleted
| Condition | Type | Description |
| Windows Connector | Filter | This filter is used to limit this rule to Windows connectors. |
| Device Event Class ID | Field-based | Device Event Class ID is a value that ArcSight Smart Connector will assign to each event based on its original event ID in Windows. This condition will ensure that this rule will be only triggered by events that are related to account creation. |
Rule Aggregation
This rule detects the single event of an account deletion in Windows. As a result, this rule does not require event aggregation and will be triggered for every single event that meets the rule conditions. However, the following fields should be added in the list of identical fields for aggregation to ensure the correlated event will preserve these values.
Destination Address, Destination Host Name, Destination User Name, Source User Name, Destination Zone, Source Host Name, Destination Zone Resource, Source Address, Source Zone, Source Zone Resource
Rule Actions
Once this rule triggers, it executes the following actions as indicated in Figure 3:
Figure 3: Rule Actions
1. Update the data fields’ value in the correlated event that is generated by the rule. The following table illustrates the data fields that will be modified in the correlated event.
| Data Field | Updated Value | Description |
| priority | 8 | This will overwrite the event priority to 8. |
| message | The $destinationUserName user account is delted by $sourceUserName. | $destinationUserName refers to the destination username and $sourceUserName refers to the source username. So, the final value for the message field would be something like “The test user account is deleted by Administrator.” |