NetWitness Community

Hi Lee,

Good to hear this.

In my case source user name will have an additional prefix of "adm_".

Does the shared syntax will suffice the purpose or I guess, have to put some regex in the same syntax to exclude the text "adm_". Does calling regex in same syntax will work?

Thanks in Advance,

Deepak Shukla

Hey Deepak,

It would work for what you have suggested as we are using a LIKE statement. Let's take an example whereby we have an event that contains two values:

• user_src = 'adm_deepak', user_dst = 'deepak'

The logic posted above is looking for instances where user_src, which currently holds 'adm_deepak', not containing the value from user_dst, which currently holds 'deepak'. The value 'deepak' currently exists within user_dst, which is holding 'adm_deepak' - therefore there would be no alert.

If we had two events like the below:

• user_src = 'adm_deepak', user_dst = 'evil'

Now user_src still holds 'adm_deepak', but user_dst holds 'evil', the logic would look to see if the user_src value does not contain the value from user_dst. In this case 'evil' does not exist within 'adm_deepak' so you would get an alert.

Cheers,

Lee

Hi Lee,

Thank you so much for your inputs! 

I am totally a newbie in this EPL. Tried to create one but post deployment it got disabled automatically. Don't know what I am missing. Is it the very first line of module Module_esa000170;? 

ESA was unable to deploy one or more rules, and these rules were disabled. Common issues include: missing metadata, invalid rule syntax, and unavailable external connections at the time of deployment.

/*

Version: 3

*/

module Module_esa000170;

@Name('Module_esa000170_Alert')

@RSAAlert(oneInSeconds=0)

SELECT *

FROM Event

(

(device_type.toLowerCase() IN ( 'cyberark' ))

AND

(action.toLowerCase() IN ( 'retrieve password' ))

AND

(user_src NOT LIKE '%' || user_dst || '%')

)                 

;

@Name('ep_user_in_user')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event(
 device_type.toLowerCase() IN ( 'cyberark' ) AND 
 isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
 user_src NOT LIKE '%' || user_dst || '%'
);‍‍‍‍‍‍‍‍

the issue is that action is not a string but a string[] (vector) so you need a different advanced syntax for it.  I usually try to build as much of the rule using the UI as possible and click show syntax so that i can get the right syntax and operators for the keys.  It should be easier to do this than it is, but so far this is what we have to work with.

Thanks again Eric ! Have placed the shared syntax, will see the outcome and trouble you again in-case required.

Meanwhile I will gear-up you to learn EPL.

Thanks alot.

Hi Eric. 

Hope you are doing well. Until I well versed with the EPL syntax, needing your help with the correct syntaxs. Now I have below two more additional criteria to put in the rule. Want to trigger the rule when it matches '2' events in 'n' minutes.

user.dst begins with "u"

Event 1 "ip.add" != Event 2 "ip.add"

Regards,

Deepak Shukla

@Name('ep_user_in_user')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event(
 device_type.toLowerCase() IN ( 'cyberark' ) AND 
 isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
 user_dst LIKE 'u%' AND
 user_src NOT LIKE '%' || user_dst || '%'
);‍‍‍‍‍‍‍‍‍

that should take care of the u* requirement

will look at the other items you asked as well (adding a count window)

Thanks alot Eric.... Will wait for the matching of two events.

Event 1 "ip.add" != Event 2 "ip.add"

Regards,

Deepak Shukla