NetWitness Community

Maciej · ‎2021-04-19

Hi,

tries to create a rule that will be triggered if 2 out of 3 events occur in the given time window.
Valid operation: Event1 -> Event2 -> Event3
Incorrect operation that should generate an alarm: Event1 -> Event3.

The problem with this rule is that events can appear in any random order. (123,132,231,321,312,13.31)
events have a meta that is identical and allows you to select the correct events and a meta indicating which event we are dealing with (1,2 or 3).

Does anyone have any idea how to create this rule?

JoshRandall · ‎2021-04-23

Unfortunately, there's not going to be a simple and easy alert for this. The fact that we need to trigger when only 2 of the 3 events arrive means we cannot use MATCH_RECOGNIZE (and specifically the MATCH_RECOGNIZE_PERMUTE function, which could have saved a lot of complexity in this rule: http://esper.espertech.com/release-7.1.0/esper-reference/html/match-recognize.html#match-recognize-patternops-permutation).

The best way I can think to do this is to create each variation of the event sequence you're looking for in the rule:

Event1 followedBy Event2 notFollowedBy Event3
Event1 followedBy Event3 notFollowedBy Event2
Event2 followedBy Event1 notFollowedBy Event3
Event2 followedBy Event3 notFollowedBy Event1
Event3 followedBy Event2 notFollowedBy Event1
Event3 followedBy Event1 notFollowedBy Event2

For example:

@RSAAlert
@Name('Event1 followedBy Event2 notFollowedBy Event3')
SELECT * FROM PATTERN [ 
    every-distinct(user_dst, 5 Minutes)
    /* Statement: event 1 */
     e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
    ->
    (
    /* Statement: event 2 */
     e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
    ->
    /* Statement: event 3 */
    timer:interval(5 Minutes) AND NOT
     e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
    
    )
];

@RSAAlert
@Name('Event1 followedBy Event3 notFollowedBy Event2')
SELECT * FROM PATTERN [ 
    every-distinct(user_dst, 5 Minutes)
    /* Statement: event 1 */
     e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
    ->
    (
    /* Statement: event 3 */
     e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
    ->
    /* Statement: event 2 */
    timer:interval(5 Minutes) AND NOT
     e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
    
    )
];

...and simply keep adding each variation to the rule until you have them all.

Mr. Mongo

View solution in original post

JoshRandall · ‎2021-04-23

Unfortunately, there's not going to be a simple and easy alert for this. The fact that we need to trigger when only 2 of the 3 events arrive means we cannot use MATCH_RECOGNIZE (and specifically the MATCH_RECOGNIZE_PERMUTE function, which could have saved a lot of complexity in this rule: http://esper.espertech.com/release-7.1.0/esper-reference/html/match-recognize.html#match-recognize-patternops-permutation).

The best way I can think to do this is to create each variation of the event sequence you're looking for in the rule:

Event1 followedBy Event2 notFollowedBy Event3
Event1 followedBy Event3 notFollowedBy Event2
Event2 followedBy Event1 notFollowedBy Event3
Event2 followedBy Event3 notFollowedBy Event1
Event3 followedBy Event2 notFollowedBy Event1
Event3 followedBy Event1 notFollowedBy Event2

For example:

@RSAAlert
@Name('Event1 followedBy Event2 notFollowedBy Event3')
SELECT * FROM PATTERN [ 
    every-distinct(user_dst, 5 Minutes)
    /* Statement: event 1 */
     e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
    ->
    (
    /* Statement: event 2 */
     e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
    ->
    /* Statement: event 3 */
    timer:interval(5 Minutes) AND NOT
     e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
    
    )
];

@RSAAlert
@Name('Event1 followedBy Event3 notFollowedBy Event2')
SELECT * FROM PATTERN [ 
    every-distinct(user_dst, 5 Minutes)
    /* Statement: event 1 */
     e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
    ->
    (
    /* Statement: event 3 */
     e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
    ->
    /* Statement: event 2 */
    timer:interval(5 Minutes) AND NOT
     e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
    
    )
];

...and simply keep adding each variation to the rule until you have them all.

Mr. Mongo

Maciej · ‎2021-04-27

thank you for your help but I found a simpler solution.

@RSAAlert()
SELECT * FROM Event(
( device_type IN ( 'xxx' ) AND
(isOneOfIgnoreCase(action,{ 'aaa' }))

)OR
( device_type IN ( 'xxx' ) AND
(isOneOfIgnoreCase(action,{ 'bbbl' }))

) OR
( device_type IN ( 'xxx' ) AND
(isOneOfIgnoreCase(action,{ 'ccc' }))

)
).std:groupwin(user_dst,ip_src)
.win:time_batch(1 min)
GROUP BY user_dst,ip_src
HAVING COUNT(*) < 3

JoshRandall · ‎2021-04-30

Excellent! I like your solution much better.

Mr. Mongo

NetWitness Community

How to create a rule that correlates 3 incoming events in any order ?