2017-07-03 10:16 AM
I'm trying to create an alert and report for situation where a user is changing his privileges by impersonating another user/account. We have alert/ on users going in as a service account or misusing a colleagues account.
I was hoping to use a query as usr.src != usr.dst but this does not seem to work as the syntax does not allow this
How can i do this.
2017-07-03 10:52 AM
Tom,
Unfortunately, when working with queries, you can't do a comparison of two keys. They would have to be against values like "user.src = 'jsmith' && user.dst !='jsmith'".
However, you could do this with a Lua parser to compare the values. Please note there may be legitimate reasons for this activity such as when accounts get created, etc. Furthermore, usernames might come across differently based on the event sources. Some logs may have the full domain such as 'EVILCORP\jsmith' or 'jsmith@evilcorp.com'. Some may have the source in one format and the dest in another.
Below is a quick parser that I wrote up after reading the post. It would need to be tested first to see if it lines up with your use-cases. Would likely need to be tuned to your environment but could be something to get you started.
account_diff.lua
*******************
-- Step 1 - Create parser
local lua_account_diff = nw.createParser("lua_account_diff", "Detect differences in account usage")
--[[
DESCRIPTION
Detect differences in account usage
VERSION
2017-07-03 - Initial development
AUTHOR
DEPENDENCIES
None
--]]
-- Step 2 - Define meta keys to write meta into
-- declare the meta keys we'll be registering meta with
lua_account_diff:setKeys({
nwlanguagekey.create("ioc", nwtypes.Text),
})
-- Step 4 - Do SOMETHING once your token matched
-- Reset global variables at the beginning of a session.
function lua_account_diff:sessionBegin()
usersrc = nil
userdst = nil
end
function lua_account_diff:userSRC(index,user)
if user == userdst then
nw.createMeta(self.keys["ioc"], "usersrc_not_userdst")
else
usersrc = user
end
end
function lua_account_diff:userDST(index,user)
if user == usersrc then
nw.createMeta(self.keys["ioc"], "usersrc_not_userdst")
else
userdst = user
end
end
-- Step 3 - Define tokens that get you close to what you want
-- declare what tokens and events we want to match.
-- These do not have to be exact matches but just get you close to the data you want.
lua_account_diff:setCallbacks({
[nwevents.OnSessionBegin] = lua_account_diff.sessionBegin,
[nwlanguagekey.create("user.src", nwtypes.Text)] = lua_account_diff.userSRC,
[nwlanguagekey.create("user.dst", nwtypes.Text)] = lua_account_diff.userDST,
})
*******************
2017-07-04 09:15 AM
If you have ESA and are at 10.6.3+ then you can use a comparison between two values to get what you are looking for.
In the ESA Alert window when you create rule entries you can use the correlation type and then add the two meta values to compare in the following two columns to get the comparison that you are looking for.