This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Event time in ESA

AlexeyFedorov
Frequent Contributor
Frequent Contributor

‎2016-03-05 01:58 PM

Hello,

 

I have 2 qestion about time on ESA:

 

1. How I know ESA use time of event what come from concentrators (time when event was received on ESA), not real event time (event.time field). Can I use real event time in correlation process? I mean - can ESA uses field event.time like time of received event on ESA if this meta field exist?

 

2. Some of default correlation rules has criteria like 3 time for count events. For example rules like a "Suspicious Privileged User Access Activity". But from Active Directory can come many equally events which will have same time. Can I have count multiple events how one if those events has equal event.time meta field?

0 Likes
4 REPLIES 4

DavidWaugh1
Employee
Employee

‎2016-03-09 12:21 PM

Hi Alex,

 

In response to your questions:

 

1. How I know ESA use time of event what come from concentrators (time when event was received on ESA), not real event time (event.time field). Can I use real event time in correlation process? I mean - can ESA uses field event.time like time of received event on ESA if this meta field exist?

Davide Veneziano​ wrote the following which might be worth a try:

A customer of us just pointed me out to the Esper’s “ext_timed” window which looks interesting to correlate events not based on the ESA time but on the event time: http://www.espertech.com/esper/release-5.2.0/esper-reference/html/epl-views.html#view-win-ext-time-batch

 

I’ve tried with this simple rule and it loads fine in ESA: select * from Event.win:ext_timed_batch( event_time*1000 , 60 seconds) group by user_dst having count(*) = 2;

Not sure if it would trigger correctly but I run a few tests in the EPL tryout website and it seems doing the job.

2. Some of default correlation rules has criteria like 3 time for count events. For example rules like a "Suspicious Privileged User Access Activity". But from Active Directory can come many equally events which will have same time. Can I have count multiple events how one if those events has equal event.time meta field?

I would look at why your are getting multiple events for the same time. Do you have an example of the messages and what you are trying to achieve?

AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-03-09 12:57 PM

Thnaks you for answers. I will test "ext_timed". Now I have tune rule "Suspicious Privileged User Access Activity" like:

 

select * from Event (....).std:groupwin(user_dst).win:time_length_batch(300 seconds, 3).std:unique(event_time).std:unique(ip_src) group by user_dst having count(*) = 3;

 

This helps me receive correct result.

About your second remark. I always recieve few events from Microsoft Windows Domain Controllers like Message ID 4672 and other. This message is equally, but has different "rn" value. For example:

 

%NICWIN-4-Security_4672_Microsoft-Windows-Security-Auditing: Security,rn=57269188 cid=11244 eid=612,Wed Mar 09 17:31:11 2016,4672,Microsoft-Windows-Security-Auditing,,Audit Success,XXX,Special Logon,,Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1626002472-1445367128-3583509536-2637 Account Name: YYY Account Domain: ZZZ Logon ID: 0x1352F97FC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege

 

%NICWIN-4-Security_4672_Microsoft-Windows-Security-Auditing: Security,rn=57269191 cid=11244 eid=612,Wed Mar 09 17:31:11 2016,4672,Microsoft-Windows-Security-Auditing,,Audit Success,XXX,Special Logon,,Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1626002472-1445367128-3583509536-2637 Account Name: YYY Account Domain: ZZZ Logon ID: 0x1352F980E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege

 

I want that ESA count this 2 event like 1, because in real was only one action. This actual only for Microsoft Windows...

DavidWaugh1
Employee
Employee
In response to AlexeyFedorov

‎2016-03-09 02:13 PM

How about trying

 

select * from Event (....).std:groupwin(user_dst,event_time).std:unique(ip_src) group by user_dst having count(*) = 3;

 

This will group events with the same user_dst and event_time so that they will only be counted once.

 

 

Sent from my iPhone

0 Likes

AlexeyFedorov
Frequent Contributor
Frequent Contributor

‎2016-03-10 01:31 AM

This solution is works not correct. Correct is grouping by user_dst and than .std:unique(event_time).

I was confused few events from same time from Microsoft Windows. But today I have been know that is different events. Those events have different logon ID.

© 2022 RSA Security LLC or its affiliates. All rights reserved.