2019-02-19 06:33 AM
Hi Team,
I am working on a use-case for CyberArk and would like to know if there is any feasibility to call "meta value" of any "meta key" in the "meta value" of another "meta key".
Scenario is: CyberArk-Password Retrieved from another user.
Case Study: Source Username is the field which capture affected user for which password is retrieved and destination username is the field which capture the detail of user who retried the password. Source Username will have additional pre-fix of "adm_". E.g. Source Username = adm_deepak and Destination Username = deepak.
My logic is to build something like, source username doesn't contain destination username.
Seeking your hep here.....
Regards,
Deepak Shukla
2019-03-08 09:55 AM
Hi Eric...Hope you are doing well ! Below is what i tried to create, unfortunately it is throwing error while saving. Do you mind to have a look and suggest.
@Name('ep_user_in_user')
@RSAAlert(oneInSeconds=0)
SELECT * FROM PATTERN [
every
e1=Event(device_type.toLowerCase() IN ( 'cyberark' ) AND
isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
user_dst LIKE 'u%' AND
user_src NOT LIKE '%' || user_dst || '%'
)
->
e2=Event(device_type.toLowerCase() IN ( 'cyberark' ) AND
isOneOfIgnoreCase(action,{ 'retrieve password' }) AND
user_dst LIKE 'u%' AND
user_src NOT LIKE '%' || user_dst || '%'
AND ip_addr NOT LIKE '%' || e1.ip_addr || '%')
where timer:within(30 Minutes)
];
Regards,
Deepak Shukla
2019-03-08 02:44 PM
Deepak,
Your rule copy/pasted into my ESA and saved without any errors, so it does not appear that you have any syntax issues within the rule itself. This may be a somewhat basic thing to check, but please make sure you have given your rule a name in the "Rule Name” line - if that is empty, you will not be able to save an otherwise-valid rule.
One note on your rule as you have it written now - I would recommend changing
AND ip_addr NOT LIKE '%' || e1.ip_addr || '%'
…to
AND NOT (ip_addr = e1.ip_addr)
Also, when you said you wanted to match "'2' events in 'n' minutes,” can you be a bit more specific? Currently, your rule is already looking for 2 different events (e1 and e2) within 30 minutes. If you want to change the time window, you would just adjust the "timer:within(30 minutes)” statement.
Or are you asking how to increase the number of events that the e1 and e2 statements will evaluate?