2019-02-19 06:33 AM
Hi Team,
I am working on a use-case for CyberArk and would like to know if there is any feasibility to call "meta value" of any "meta key" in the "meta value" of another "meta key".
Scenario is: CyberArk-Password Retrieved from another user.
Case Study: Source Username is the field which capture affected user for which password is retrieved and destination username is the field which capture the detail of user who retried the password. Source Username will have additional pre-fix of "adm_". E.g. Source Username = adm_deepak and Destination Username = deepak.
My logic is to build something like, source username doesn't contain destination username.
Seeking your hep here.....
Regards,
Deepak Shukla
2019-02-19 07:02 AM
Hey Deepak,
You sure can. The below will alert when user_src does not contain the value in user_dst (assuming user_src and _user_dst are from the same event):
SELECT * FROM Event(user_src NOT LIKE '%' || user_dst || '%')
Cheers,
Lee
2019-02-19 10:04 AM
Hi Lee,
Good to hear this.
In my case source user name will have an additional prefix of "adm_".
Does the shared syntax will suffice the purpose or I guess, have to put some regex in the same syntax to exclude the text "adm_". Does calling regex in same syntax will work?
Thanks in Advance,
Deepak Shukla
2019-02-19 10:12 AM
Hey Deepak,
It would work for what you have suggested as we are using a LIKE statement. Let's take an example whereby we have an event that contains two values:
The logic posted above is looking for instances where user_src, which currently holds 'adm_deepak', not containing the value from user_dst, which currently holds 'deepak'. The value 'deepak' currently exists within user_dst, which is holding 'adm_deepak' - therefore there would be no alert.
If we had two events like the below:
Now user_src still holds 'adm_deepak', but user_dst holds 'evil', the logic would look to see if the user_src value does not contain the value from user_dst. In this case 'evil' does not exist within 'adm_deepak' so you would get an alert.
Cheers,
Lee
2019-02-21 09:47 AM
Hi Lee,
Thank you so much for your inputs!
I am totally a newbie in this EPL. Tried to create one but post deployment it got disabled automatically. Don't know what I am missing. Is it the very first line of module Module_esa000170;?
ESA was unable to deploy one or more rules, and these rules were disabled. Common issues include: missing metadata, invalid rule syntax, and unavailable external connections at the time of deployment.
/*
Version: 3
*/
module Module_esa000170;
@Name('Module_esa000170_Alert')
@RSAAlert(oneInSeconds=0)
SELECT *
FROM Event
(
(device_type.toLowerCase() IN ( 'cyberark' ))
AND
(action.toLowerCase() IN ( 'retrieve password' ))
AND
(user_src NOT LIKE '%' || user_dst || '%')
)
;
2019-02-21 01:49 PM
@Name('ep_user_in_user')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event(
device_type.toLowerCase() IN ( 'cyberark' ) AND
isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
user_src NOT LIKE '%' || user_dst || '%'
);
the issue is that action is not a string but a string[] (vector) so you need a different advanced syntax for it. I usually try to build as much of the rule using the UI as possible and click show syntax so that i can get the right syntax and operators for the keys. It should be easier to do this than it is, but so far this is what we have to work with.
2019-02-22 05:16 AM
Thanks again Eric ! Have placed the shared syntax, will see the outcome and trouble you again in-case required.
Meanwhile I will gear-up you to learn EPL.
Thanks alot.
2019-02-25 01:01 PM
Hi Eric.
Hope you are doing well. Until I well versed with the EPL syntax, needing your help with the correct syntaxs. Now I have below two more additional criteria to put in the rule. Want to trigger the rule when it matches '2' events in 'n' minutes.
user.dst begins with "u"
Event 1 "ip.add" != Event 2 "ip.add"
Regards,
Deepak Shukla
2019-02-28 09:59 AM
@Name('ep_user_in_user')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event(
device_type.toLowerCase() IN ( 'cyberark' ) AND
isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
user_dst LIKE 'u%' AND
user_src NOT LIKE '%' || user_dst || '%'
);
that should take care of the u* requirement
will look at the other items you asked as well (adding a count window)
2019-02-28 10:22 AM
Thanks alot Eric.... Will wait for the matching of two events.
Event 1 "ip.add" != Event 2 "ip.add"
Regards,
Deepak Shukla