This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Help with ESA Rule - Criteria requested vs criteria return mismatch

LBond
New Contributor
New Contributor

‎2024-05-28 12:46 PM

I have been working on a rule for quite some time and have encountered issues when testing. My syntax is all good, but I've found that what I'm looking for in my JSON file does not match my criteria.

I ran an investigation using my criteria (service = 139 AND ip.src exists AND direction = 'lateral') and generated my JSON file from the returned events. When I run my test, no results are returned. 

I tried removing some of the criteria, and found when I remove "service = 139", I had matching results. I looked further into my JSON file and noticed that instead of "service":["139"] it has recorded "service":[SMB"]. I tried changing my syntax to "service = 'SMB'", but I receive the error "Implicit conversion from datatype 'String' to 'Long' is not allowed".

I am stumped as to how to make this test work with my service criteria.

 

Labels:
0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2024-06-24 11:51 AM

@LBond 

I'm surprised that you got the error message about String to Long when you were using SMB in your search. I would expected that error to appear when you were trying to use 139, as that is the long integer compared to the SMB string. Have you tried using the rule builder to see if you can get it to produce the rule you are looking for, or at least create the basis for your rule?

 

 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.