NetWitness Community

AhmadJabr1 · ‎2021-03-07

Hello Guys

i have copied the "Multiple Failed Logons from Same Source IP with Unique Usernames" ESA rule to drop some IP destinations,

and its working fine with dropping the IP Destinations but now its get triggered even if there is one event

all the changed are in Bold

VVV the rule code below VVV

SELECT * FROM
Event(
(ip_src NOT IN ('x.x.x.x'))
AND
medium = 32
AND
ec_activity = 'Logon'
AND
ec_theme = 'Authentication'
AND
ec_outcome = 'Failure'
AND
(ip_src IS NOT NULL OR device_ip IS NOT NULL)
AND
user_dst IS NOT NULL
).std:groupwin(ip_src, device_ip,user_dst).win:time_length_batch(180 seconds,7).std:unique(user_dst) GROUP BY ip_src, device_ip HAVING COUNT(*) = 7;

EduCarbonell · ‎2021-07-22

Hi Ahmad,

If you want to detect 7 login failures from the same user then your syntax is almost right, you just need to remove the unique clause:

SELECT * FROM
Event(
(ip_src NOT IN ('x.x.x.x'))
AND
medium = 32
AND
ec_activity = 'Logon'
AND
ec_theme = 'Authentication'
AND
ec_outcome = 'Failure'
AND
(ip_src IS NOT NULL OR device_ip IS NOT NULL)
AND
user_dst IS NOT NULL
).std:groupwin(ip_src, device_ip, user_dst)
.win:time_length_batch(180 seconds, 7) 
GROUP BY ip_src, device_ip, user_dst 
HAVING COUNT(*) = 7;

But in that case the name of the rule should no longer be:

"Multiple Failed Logons from Same Source IP with Unique Usernames"

It should be:

"Multiple Failed Logons from Same Source IP with Same Username"

NetWitness Community

Issue with ESA Rule correlation