This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Password change by Non-Owner Query

Go to solution
NathanOlsen
Beginner
Beginner

‎2015-07-29 01:14 PM

Currently using Security Analytics 10.4

I'm running a daily report on password changes by non-owner, i.e., user changes a different user's password.

The predicate clause is:

alert.id = 'account:modified' && category = 'user account management' && device.type = 'winevent_nic' && user.src != user.dst

However, the last predicate doesn't do anything to remove accounts where user.src & user.dst are identical. There are still a large number of rows (almost all of them) where the user is changing their own password.

Anyone have any insight here? I've got a decent background in SQL and query syntax, but using the reporting engine makes me want to scream most days.

 

Message was edited by: nolsen311 -- trying to use code snippet markup --

0 Likes
10 REPLIES 10

Go to solution
NathanOlsen
Beginner
Beginner

‎2015-08-20 03:02 PM

I've finally managed to get this working properly; the final bits that were causing problems were all related to how metadata is being created in our particular implementation.

 

Note: This data is possibly only relevant to our installation.

 

I created a new APP RULE, to populate Alert.ID with "password:modified" whenever (ec.theme = 'password' && ec.subject='password' && ec.activity = 'Modify') || (event.cat.name='user.management.password.modifications') I've also started filtering Security^(4738) from the incoming logs. The reason for the filtering is that changing the password was creating reference.id = 4738 log records whenever the password change was replicated across DCs; these logs were obscuring the "real" data.

 

I also modified the lua parser just a bit to simplify it; any reduced effort on the part of a parser is probably a good thing. Since I'm now looking for the custom Alert.ID I specified, I can reduce the number of fields required for a match and reduce the number of callbacks, etc.

The final lua parser is shown below.

local pwchange = nw.createParser("password_change", "password change by non-owner")

 

 

 

pwchange:setKeys({

 

     nwlanguagekey.create("alert"),

 

})

 

 

 

function pwchange:sessionBegin()

 

     metaTable = {

 

         ["alertID"] = {},

 

         ["userSrc"] = {},

 

         ["userDst"] = {},

 

     }

 

end

 

 

 

function pwchange:checkMeta()

 

     if  metaTable.alertID["password:modified"] then

 

             for changee in pairs(metaTable.userDst) do

 

                 for changeBy in pairs(metaTable.userSrc) do

 

                     if changee ~= changeBy then

 

                         nw.createMeta(self.keys.alert, "password change by non-owner")

 

                         return

 

                     end

 

                 end

 

             end

 

     end

 

end

 

 

 

function pwchange:alertID(idx, vlu)

 

    metaTable.alertID[vlu] = true

 

    self:checkMeta()

 

end

 

 

 

function pwchange:userSrc(idx, vlu)

 

    metaTable.userSrc[vlu] = true

 

    self:checkMeta()

 

end

 

 

 

function pwchange:userDst(idx, vlu)

 

    metaTable.userDst[vlu] = true

 

    self:checkMeta()

 

end

 

 

 

pwchange:setCallbacks({

 

     [nwevents.OnSessionBegin] = pwchange.sessionBegin,

 

     [nwlanguagekey.create("alert.id", nwtypes.Text)] = pwchange.alertID,

 

     [nwlanguagekey.create("user.src", nwtypes.Text)] = pwchange.userSrc,

 

     [nwlanguagekey.create("user.dst", nwtypes.Text)] = pwchange.userDst,

 

})

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.