Hi all.
This rule has been driving me crazy for a while now, and the teams working on it too.
Just looking for a way to track standard commands for user and/or group modifications.
I tried using the built in syslog keys [index="*" (sourcetype="syslog" (key=user_modification OR key=group_modification OR key=etcgroup OR key=etcpasswd)]
and while this works, it throws up so many false positives such as users whose password is changed by CyberArc.
Has anyone had a similar issue and how did you best fix/monitor it?