NetWitness Community

Anonymous · ‎2013-12-10

I want to create a correlation rule on my log decoder to find failed RSA authentications from 1 source using multiple user IDs within 5 minutes.

Here's what I've got for my correlation rule:

Condition: event.cat.name=auth.failures && device.type=rsaacesrv

Threshold: u_count(user.dst)>2

InstanceKey: ip.src

Time Window: 5 minutes

When I validate the rule I get "There was an unspecified error parsing the rule."

When I try to apply the rule I get "threshold field error. Expect: thresh=op-string(key-string)>value[mb|kb|gb]"

OK, it doesn't like that. I added user.dst to the Instance Key so that this is what my rule looked like:

Condition: event.cat.name=auth.failures && device.type=rsaacesrv

Threshold: u_count(user.dst)>2

InstanceKey: ip.src, user.dst

Time Window: 5 minutes

When I validate the rule I get "There was an unspecified error parsing the rule." again.

When I try to apply the rule I get a different error: "Correlation compound keys must have the same format for both elements. Key ip.src format IPv4 is not the same as key user.dst format Text."

I don't think I'm understanding properly what Condition, Threshold, and Instance Key are specifying in any given Correlation Rule. Can anyone help me out?

RSAAdmin · ‎2013-12-10

Please consider moving this question as-is (no need to recreate) to the proper forum for maximum visibility. Questions written to the users' own "Discussions" space don't get the same amount of attention and can go unanswered for a long time.

You can do so by selecting "Move" under ACTIONS along the upper-right. Then search for and select: "RSA Security Analytics".

RSA Security Analytics

Anonymous · ‎2013-12-12

Moved.

I have also tried a different variation with the same result. Rule would not validate.

Rule Name - A1

Condition - event.cat.name=auth.failures && device.type=rsaacesrv && user.dst exists

Threshold - u_count() > 2

Instance Key - ip.src

Time Window - 1 min

Do I need to have actual data that would trigger this rule before I can validate the rule? Do I get identical errors for "bad syntax" and "no data found"? How do I determine which is my problem?

Anonymous · ‎2013-12-12

I just did some testing on my end and it was working.

Condition: event.cat.name = 'auth.failures' && device.type = 'rsaacesrv' && user.dst exists

Threshold: u_count() >2

key: ip.src

time: 1min

Anonymous · ‎2013-12-12

Note for you, use single quotes around everything! for some reason it can break a lot of stuff.

Anonymous · ‎2013-12-12

Aha. Yes the rule now validates when I use quotes. However it won't apply the rule, I get this error.

"threshold field error. Expect: thresh=op-string(key-string)>value[mb|kb|gb]"

What version are you on? I'm on 10.2.2, which apparently only accepts Instance Keys that are formatted IPv4, IPv6, or UInt16 (which would be updsourceport, udpdstport, tcpsrcport, tcpdstport in my deployment). Is that different in other versions?

Anonymous · ‎2013-12-12

Just tried to apply it, I am getting the same error, also 10.2.2. The likely fix is going to be using 10.3.1 with ESA. I am not sure if you need to purchase ESA or not, I am currently in the process of upgrading to 10.3.1.

Anonymous · ‎2013-12-12

If you have a chance, I would love to see if you get the same error in 10.3.1.

Anonymous · ‎2013-12-12

Should be upgrading tomorrow at 10am est, I will try it and update you after it is installed.

Anonymous · ‎2013-12-12

Thanks Sean. At this point I am going to assume that my correlation rule is not possible in 10.2.2.

NetWitness Community

Creating Correlation Rule: failed auths from 1 IP using 2 users