This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA packet rules with large time windows?

JoshuaCole1
New Contributor
New Contributor

‎2020-09-03 09:02 AM

Hello All, I was wondering if anyone could help me use ESA with my packet concentrators to automate my process for investigating teleworkers logging in from different sources within a specific window.

 

I run a daily report that displays all of the users and their source IPs/source organizations (ISP, VPN, etc). I manually review these reports for users with more than one "org.src" value.

 

I know this could be easily done with logs and a SEIM, but since all I control is Netwitness packets I'm hoping there is a way to write an ESA rule that could highlight usernames with multiple unique "org.src" values, say in a 6 (or even 24) hour period, or would this overload the ESA?

 

Edited to add: I'm also asking this because if it's doable, it'll help me better understand creating more detailed ESA rules.

0 Likes
3 REPLIES 3

KarimBenzina
Employee
Employee

‎2020-09-06 08:58 AM

Hi Joshua,

 

It is possible to hold all events in 1 window. Every time, you add a new org_src entry for each ip.src in the window. If 1 ip.src come from 2 or more org_src, you fire an alert. Below, I wrote this EPL example using EsperTech Esper EPL Online.

 

Can you try it and let me know if this is what you are looking for?

 

https://esper-epl-tryout.appspot.com/epltryout/mainform.html

// Create Window to store events
CREATE WINDOW RemoteUsers.win:time(24 hours) (ip_src string, org_src string);

// Insert into the Window, IP source and org source
@Name('Insert into Window')
INSERT INTO RemoteUsers
select ip_src as ip_src, org_src as org_src FROM Event(device_type='vpnparser');

@Name('Fire Alert')
SELECT ip_src, count(*) FROM RemoteUsers group by ip_src HAVING count(distinct(org_src)) > 1;

0 Likes

JoshuaCole1
New Contributor
New Contributor
In response to KarimBenzina

‎2020-09-11 07:42 AM

Hi Karim, thanks for this! I got pulled onto another project over the last few days, but I will try this out and let you know. Thanks again!

0 Likes

JoshuaCole1
New Contributor
New Contributor
In response to KarimBenzina

‎2020-09-15 10:31 AM

Hi Karim,

 

Unfortunately, it looks like this doesn't work. As you can see below I did tweak your code just a bit to match the metakeys I'm using for my searches, but I ran a regular search for teleworkers today, and ESA did not alert on two users I saw with different source logins within 12 hours of each other.

 



CREATE WINDOW RemoteUsers.win:time(24 hours)
(user string, org_src string)
;

INSERT INTO RemoteUsers
SELECT user as user, org_src as org_src FROM Event(
( 'teleworker' = ANY( risk_info ))
)
;

SELECT user, count(*) FROM RemoteUsers
group by user
HAVING
count(distinct(org_src)) > 1
;

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.