This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Rule Scope

DeepakShukla2
Beginner
Beginner

‎2019-02-19 06:33 AM

Hi Team, 

 

I am working  on a use-case for CyberArk and would like to know if there is any feasibility to call "meta value" of any "meta key" in the "meta value" of another "meta key". 

 

Scenario is: CyberArk-Password Retrieved from another user. 

Case Study: Source Username is the field which capture affected user for which password is retrieved and destination username is the field which capture the detail of user who retried the password. Source Username will have additional pre-fix of "adm_". E.g. Source Username = adm_deepak and Destination Username = deepak. 

My logic is to build something like, source username doesn't contain destination username.   

 

Seeking your hep here..... 

 

Regards,

Deepak Shukla

0 Likes
11 REPLIES 11

DeepakShukla2
Beginner
Beginner
In response to EricPartington

‎2019-03-08 09:55 AM

Hi Eric...Hope you are doing well ! Below is what i tried to create, unfortunately it is throwing error while saving. Do you mind to have a look and suggest.

 

@Name('ep_user_in_user')
@RSAAlert(oneInSeconds=0)
SELECT * FROM PATTERN [
every
e1=Event(device_type.toLowerCase() IN ( 'cyberark' ) AND
isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
user_dst LIKE 'u%' AND
user_src NOT LIKE '%' || user_dst || '%'
)
->
e2=Event(device_type.toLowerCase() IN ( 'cyberark' ) AND
isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
user_dst LIKE 'u%' AND
user_src NOT LIKE '%' || user_dst || '%'
AND ip_addr NOT LIKE '%' || e1.ip_addr || '%')
where timer:within(30 Minutes)
];

 

Regards,

Deepak Shukla

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to DeepakShukla2

‎2019-03-08 02:44 PM

Deepak,

  Your rule copy/pasted into my ESA and saved without any errors, so it does not appear that you have any syntax issues within the rule itself.  This may be a somewhat basic thing to check, but please make sure you have given your rule a name in the "Rule Name” line - if that is empty, you will not be able to save an otherwise-valid rule.

 

  One note on your rule as you have it written now - I would recommend changing

            AND ip_addr NOT LIKE '%' || e1.ip_addr || '%'

…to

 

            AND NOT (ip_addr = e1.ip_addr)

 

  Also, when you said you wanted to match "'2' events in 'n' minutes,” can you be a bit more specific?  Currently, your rule is already looking for 2 different events (e1 and e2) within 30 minutes.  If you want to change the time window, you would just adjust the "timer:within(30 minutes)” statement.

 

  Or are you asking how to increase the number of events that the e1 and e2 statements will evaluate?


Mr. Mongo
© 2022 RSA Security LLC or its affiliates. All rights reserved.