2021-10-01 01:38 AM
Hello everybody.
Need your help with ESA Rule(EPL).
So, what I want:
@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event (
/* Conditions Event */
(
device_class IN ('Windows Hosts')
AND reference_id IN ('4625')
AND logon_type IN ('3')
AND ip_src IS NOT NULL
)
AND
/* Conditions Codes */
(
result_code IN ('0xc000006a')
OR ('0xc000006a') = ANY(context)
)
AND
/* Conditions to Exclude */
(
ip_src NOT IN ('111.111.111.111')
AND user_dst NOT LIKE ('%$%')
)
).std:groupwin(ip_src)
.win:time_batch(120 seconds)
GROUP BY ip_src
HAVING COUNT(*) > 4;
2021-10-27 11:55 AM
I think your issue is the time_batch. I would use time_length_batch. Also keep in mind that by adding the logon_type=3 you are limiting this statement to only logins via the network and you are excluding interactive logins.
Hope this helps
I recreated your rule and came up with the following..
/*
This basic template is a placeholder for defining basic EPL content that can be
installed and executed in ESA. The sample below is the minimum that would be
required to get started.
Version: 4.0
*/
/*
Module debug section. If this is empty then debugging is off.
*/
/* EPL section. If there is no text here it means there were no statements. */
module Module_0d4a0277_1e78_4a45_b426_c24812e6415f;
@Name('Module_0d4a0277_1e78_4a45_b426_c24812e6415f_Alert')
@Description('')
@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
/* Statement: Group */
(device_class IN ( 'Windows Hosts' ) AND reference_id IN ( '4625' ) AND logon_type IN ( '3' ) AND ip_scr IS NOT NULL)
AND
/* Statement: conditions */
(result_code IN ( '0xc000006a' ) OR ( '0xc000006a' = ANY( context ) ))
AND
/* Statement: exclude */
(ip_src IN ( '111.111.111.111' ) AND user_dst NOT LIKE ( '%$%' ))
)
.std:groupwin(ip_src)
.win:time_length_batch(2 Minutes, 4)
GROUP BY ip_src
HAVING COUNT(*) >= 4;
2021-11-11 01:13 AM
Thank yor for answer.
I think your issue is the time_batch. I would use time_length_batch.
According to my logic, I need exactly time_batch, because I want to collect All events for 2 minutes. If I wrong, please, explain me what is my mistake?
Also keep in mind that by adding the logon_type=3 you are limiting this statement to only logins via the network and you are excluding interactive logins.
I need exactly this type of logon, so this is correct.
So the issue is rule works fine(grouping/creating alerts by ip.src) most of the time, but sometime it creates One rule with Two ip.src in it.