2018-05-02 11:13 AM
I have created the following ESA rule to detect whenever a user log on into a windows machine and then logs into other system (called Stealth) with another username within a period of 600 seconds. The rule works fine, but I missed something, the rule triggers even if the user logoff the machine and other user login.
I think the rule logic maybe something like:
Event A: User Logon
Event B: User Logoff
Event C: Other User log on to Stealth from the same IP.
And the pattern may be something like: A followed by C but only if B don't occurs before C
My current rule is:
module Module_00029252f2806281d24e2073;
/*
Stealth - Login desde la misma IP con distinto usuario
*/
@Name('Module_00029252f2806281d24e2073_Alert')
@Description('Alerta para usario compartido en Stealth')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
PATTERN
@SuppressOverlappingMatches
[
EVERY a = Event(
device_type .toLowerCase() IN ('winevent_nic')
AND
ec_activity .toLowerCase() IN ('logon')
AND
ip_src IS NOT NULL
AND
user_dst .toLowerCase() NOT LIKE '%$'
AND
user_dst.toLowerCase() NOT LIKE 'fact%'
AND
user_dst .toLowerCase() NOT IN ('rsa_dlp','anonymous logon')
/* Agregado Maximiliano Cittadini - 6-SEP-17 evita usuarios de servicio en Windows*/
AND
ec_outcome .toLowerCase() IN ('success'))
-> b = Event(
device_type .toLowerCase() IN ('stealth')
AND
b.user_dst .toLowerCase () NOT IN ('monstealth_2')
AND
b.user_dst .toLowerCase() NOT LIKE 'fact%'
/* Agregado Maximiliano Cittadini - 8-SEP-17 evita usuarios de servicio en Stealth */
AND
result_code .toLowerCase() IN ('ok')
AND
b.user_dst .toLowerCase() != a.user_dst .toLowerCase()
AND
a.ip_src = b.ip_addr
AND
a.user_dst .toLowerCase() != b.user_dst .toLowerCase () || 'c'
/* Agregado Maximiliano Cittadini - 6-SEP-17 evita casos de usuarios
con el mismo nombre con la letra c agregada, por ejemplo:
USUARIO y USUARIOC */
)
where timer:within(600 seconds)
/* Modificacion Maximiliano Cittadini - 14-SEP-17 se cambia ventana de 3600 segundos a 120 segundos */
/* Modificacion Maximiliano Cittadini - 19-SEP-17 se cambia ventana de 120 segundos a 600 segundos */
];
Could someone help me with this?
Regards,
Max
2018-05-04 01:21 PM
Just in case that someone else has the same question, I've done the following rule:
module Module_00029252f2806281d24e2074;
/*
Stealth - Login desde la misma IP con distinto usuario
*/
@Name('Module_00029252f2806281d24e2074_Alert')
@Description('Alerta para usario compartido en Stealth')
@RSAAlert(oneInSeconds=0)
SELECT * FROM PATTERN
@SuppressOverlappingMatches
[
EVERY ( a = Event(
device_type .toLowerCase() IN ('winevent_nic')
AND
ec_activity .toLowerCase() IN ('logon')
AND
ip_src IS NOT NULL
AND
user_dst .toLowerCase() NOT LIKE '%$'
AND
user_dst.toLowerCase() NOT LIKE 'fact%'
AND
user_dst .toLowerCase() NOT IN ('rsa_dlp','anonymous logon')
AND
ec_outcome .toLowerCase() IN ('success'))
-> b = Event(
device_type .toLowerCase() IN ('stealth')
AND
b.user_dst .toLowerCase () NOT IN ('monstealth_2')
AND
b.user_dst .toLowerCase() NOT LIKE 'fact%'
AND
result_code .toLowerCase() IN ('ok')
AND
b.user_dst .toLowerCase() != a.user_dst .toLowerCase()
AND
a.ip_src = b.ip_addr
AND
a.user_dst .toLowerCase() != b.user_dst .toLowerCase () || 'c'
)
AND NOT Event (
ec_activity .toLowerCase() IN ('logoff')
AND
user_dst .toLowerCase()= a.user_dst .toLowerCase()
AND
device_type .toLowerCase() IN ('winevent_nic')
)
)
];
2018-05-04 01:21 PM
Just in case that someone else has the same question, I've done the following rule:
module Module_00029252f2806281d24e2074;
/*
Stealth - Login desde la misma IP con distinto usuario
*/
@Name('Module_00029252f2806281d24e2074_Alert')
@Description('Alerta para usario compartido en Stealth')
@RSAAlert(oneInSeconds=0)
SELECT * FROM PATTERN
@SuppressOverlappingMatches
[
EVERY ( a = Event(
device_type .toLowerCase() IN ('winevent_nic')
AND
ec_activity .toLowerCase() IN ('logon')
AND
ip_src IS NOT NULL
AND
user_dst .toLowerCase() NOT LIKE '%$'
AND
user_dst.toLowerCase() NOT LIKE 'fact%'
AND
user_dst .toLowerCase() NOT IN ('rsa_dlp','anonymous logon')
AND
ec_outcome .toLowerCase() IN ('success'))
-> b = Event(
device_type .toLowerCase() IN ('stealth')
AND
b.user_dst .toLowerCase () NOT IN ('monstealth_2')
AND
b.user_dst .toLowerCase() NOT LIKE 'fact%'
AND
result_code .toLowerCase() IN ('ok')
AND
b.user_dst .toLowerCase() != a.user_dst .toLowerCase()
AND
a.ip_src = b.ip_addr
AND
a.user_dst .toLowerCase() != b.user_dst .toLowerCase () || 'c'
)
AND NOT Event (
ec_activity .toLowerCase() IN ('logoff')
AND
user_dst .toLowerCase()= a.user_dst .toLowerCase()
AND
device_type .toLowerCase() IN ('winevent_nic')
)
)
];