This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Account missuse

TomvanGessel
Beginner
Beginner

‎2017-07-03 10:16 AM

I'm trying to create an alert and report for situation where a user is changing his privileges by impersonating another user/account.  We  have alert/ on users going in as a service account or misusing  a colleagues account.

I was hoping to  use a query as usr.src != usr.dst  but this does not seem to work as the syntax does not allow this

How can i do this.

0 Likes
2 REPLIES 2

Anonymous
Not applicable

‎2017-07-03 10:52 AM

Tom,

 

Unfortunately, when working with queries, you can't do a comparison of two keys.  They would have to be against values like "user.src = 'jsmith' && user.dst !='jsmith'".

 

However, you could do this with a Lua parser to compare the values.  Please note there may be legitimate reasons for this activity such as when accounts get created, etc.  Furthermore, usernames might come across differently based on the event sources.  Some logs may have the full domain such as 'EVILCORP\jsmith' or 'jsmith@evilcorp.com'.  Some may have the source in one format and the dest in another.

 

Below is a quick parser that I wrote up after reading the post.  It would need to be tested first to see if it lines up with your use-cases.  Would likely need to be tuned to your environment but could be something to get you started.

 

account_diff.lua

*******************

-- Step 1 - Create parser
local lua_account_diff = nw.createParser("lua_account_diff", "Detect differences in account usage")

--[[
DESCRIPTION

Detect differences in account usage


VERSION

2017-07-03 - Initial development


AUTHOR

christopher.ahearn@rsa.com


DEPENDENCIES

None

--]]

-- Step 2 - Define meta keys to write meta into
-- declare the meta keys we'll be registering meta with
lua_account_diff:setKeys({
nwlanguagekey.create("ioc", nwtypes.Text),
})

-- Step 4 - Do SOMETHING once your token matched
-- Reset global variables at the beginning of a session.
function lua_account_diff:sessionBegin()
usersrc = nil
userdst = nil
end

function lua_account_diff:userSRC(index,user)
if user == userdst then
nw.createMeta(self.keys["ioc"], "usersrc_not_userdst")
else
usersrc = user
end
end

function lua_account_diff:userDST(index,user)
if user == usersrc then
nw.createMeta(self.keys["ioc"], "usersrc_not_userdst")
else
userdst = user
end
end

-- Step 3 - Define tokens that get you close to what you want
-- declare what tokens and events we want to match.
-- These do not have to be exact matches but just get you close to the data you want.
lua_account_diff:setCallbacks({
[nwevents.OnSessionBegin] = lua_account_diff.sessionBegin,
[nwlanguagekey.create("user.src", nwtypes.Text)] = lua_account_diff.userSRC,
[nwlanguagekey.create("user.dst", nwtypes.Text)] = lua_account_diff.userDST,
})

*******************

EricPartington
Employee
Employee

‎2017-07-04 09:15 AM

If you have ESA and are at 10.6.3+ then you can use a comparison between two values to get what you are looking for.

 

In the ESA Alert window when you create rule entries you can use the correlation type and then add the two meta values  to compare in the following two columns to get the comparison that you are looking for.

© 2022 RSA Security LLC or its affiliates. All rights reserved.