User Account Control

The Anomaly Detection using Sigma rules component provides User Account Control functionality using the predefined collection of Sigma rules, Rules collection for User Account Control (UAC) logs analysis.

The collection of Sigma rules covers the following events:

Adding a new user
Adding a user to the administrators group
User privilege elevation
User login
User login attempt
User logout

For the list of IDs, see the table below.

The behavior of the application depends on whether the computer belongs to a domain or not:

If the computer belongs to a domain, the application does not generate events of the collection of User Account Control Sigma rules.
If the computer does not belong to a domain, the application modifies some local policy settings. After the collection of Sigma rules is disabled, the application reverts local policy settings to their original values.

To enable user account control:

In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
In the Anomaly Detection using Sigma rules section, click Add.
The Adding a rules collection window opens.
In the Choose a rules collection drop-down list, select the Rules collection for User Account Control (UAC) logs analysis Sigma rule collection.
Click OK.

When a Sigma rule from the collection triggers, the application generates an event and sends it to Kaspersky Security Center and Kaspersky Industrial CyberSecurity for Nodes for Network.

IDs of events in the collection of User Account Control Sigma rules

Event	Windows XP	Windows 7 and later
Adding a new user	624	4720
Adding a user to the administrators group	632 636 660	4728 4732 4756
User privilege elevation	576 633 637 639 641 659 661	4729 4733 4735 4737 4755 4757 4672 4964
User login	528 540	4624
User login attempt	529 530 531 532 533 534 535 536 537 539	4625
User logout	538	4634

Page top