This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Rule - Grouping Alerts

MaximMarchenko
Occasional Contributor
Occasional Contributor

‎2021-10-01 01:38 AM

Hello everybody.

Need your help with ESA Rule(EPL).

So, what I want:

the rule must generate alerts if there are minimum 5 failed logins(bad password) from Same Source during 120 seconds.
 
After reading all documentation that I've managed to get, I've wrote next rule:
@RSAAlert(oneInSeconds = 0)

SELECT *
FROM Event (
        /* Conditions Event */
        (
            device_class IN ('Windows Hosts')
            AND reference_id IN ('4625')
            AND logon_type IN ('3')
            AND ip_src IS NOT NULL
        )
        AND 
        /* Conditions Codes */
        (
            result_code IN ('0xc000006a')
            OR ('0xc000006a') = ANY(context)
        )
        AND
        /* Conditions to Exclude */
        (
            ip_src NOT IN ('111.111.111.111')
            AND user_dst NOT LIKE ('%$%')
        )
).std:groupwin(ip_src)
.win:time_batch(120 seconds)
GROUP BY ip_src
HAVING COUNT(*) > 4;
So this rule aggregates more than 4 events with unique ip_src in one alert.
 
It works fine most of time: I get one alert with, for example, 50 events in it with unique ip_src.
 
But, sometimes(rather rarely) it aggregates two(it's always two, not more) ip_src in one alert and I don't know why.
 
Is it something in rule logic? Help to clear it out, please.
Labels:
0 Likes
2 REPLIES 2

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2021-10-27 11:55 AM

I think your issue is the time_batch.  I would use time_length_batch.  Also keep in mind that by adding the logon_type=3 you are limiting this statement to only logins via the network and you are excluding interactive logins.

 

Hope this helps

 

 

I recreated your rule and came up with the following..

/*
This basic template is a placeholder for defining basic EPL content that can be
installed and executed in ESA. The sample below is the minimum that would be
required to get started.

Version: 4.0
*/


/*
Module debug section. If this is empty then debugging is off.
*/

/* EPL section. If there is no text here it means there were no statements. */

module Module_0d4a0277_1e78_4a45_b426_c24812e6415f;




@Name('Module_0d4a0277_1e78_4a45_b426_c24812e6415f_Alert')
@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(
/* Statement: Group */
(device_class IN ( 'Windows Hosts' ) AND reference_id IN ( '4625' ) AND logon_type IN ( '3' ) AND ip_scr IS NOT NULL)
AND
/* Statement: conditions */
(result_code IN ( '0xc000006a' ) OR ( '0xc000006a' = ANY( context ) ))
AND
/* Statement: exclude */
(ip_src IN ( '111.111.111.111' ) AND user_dst NOT LIKE ( '%$%' ))

)
.std:groupwin(ip_src)
.win:time_length_batch(2 Minutes, 4)
GROUP BY ip_src
HAVING COUNT(*) >= 4;

 

 

 

0 Likes

MaximMarchenko
Occasional Contributor
Occasional Contributor
In response to DaveGlover

‎2021-11-11 01:13 AM

Thank yor for answer.

I think your issue is the time_batch.  I would use time_length_batch.

According to my logic, I need exactly time_batch, because I want to collect All events for 2 minutes. If I wrong, please, explain me what is my mistake?

 

Also keep in mind that by adding the logon_type=3 you are limiting this statement to only logins via the network and you are excluding interactive logins.

I need exactly this type of logon, so this is correct.

 

So the issue is rule works fine(grouping/creating alerts by ip.src) most of the time, but sometime it creates One rule with Two ip.src in it.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.