This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Question about ESA Rule

Go to solution
MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2018-05-02 11:13 AM

I have created the following ESA rule to detect whenever a user log on into a windows machine and then logs into other system (called Stealth) with another username within a period of 600 seconds. The rule works fine, but I missed something, the rule triggers even if the user logoff the machine and other user login.

I think the rule logic maybe something like:

Event A: User Logon

Event B: User Logoff

Event C: Other User log on to Stealth from the same IP.

And the pattern may be something like: A followed by C but only if B don't occurs before C

My current rule is:

module Module_00029252f2806281d24e2073;
/* 
Stealth - Login desde la misma IP con distinto usuario
*/
@Name('Module_00029252f2806281d24e2073_Alert')
@Description('Alerta para usario compartido en Stealth')
@RSAAlert(oneInSeconds=0)

SELECT * FROM
     PATTERN
     @SuppressOverlappingMatches
     [
          EVERY a = Event(
                         device_type .toLowerCase() IN ('winevent_nic')
                         AND
                         ec_activity .toLowerCase() IN ('logon')
                         AND
                         ip_src IS NOT NULL
                         AND
                         user_dst .toLowerCase() NOT LIKE '%$'
                         AND
                         user_dst.toLowerCase() NOT LIKE 'fact%'
                         AND 
                         user_dst .toLowerCase() NOT IN ('rsa_dlp','anonymous logon')
                         /* Agregado Maximiliano Cittadini - 6-SEP-17 evita usuarios de servicio en Windows*/
                         AND
                         ec_outcome .toLowerCase() IN ('success'))
               -> b = Event(
                         device_type .toLowerCase() IN ('stealth')
                         AND
                         b.user_dst .toLowerCase () NOT IN ('monstealth_2')
                         AND
                         b.user_dst .toLowerCase() NOT LIKE 'fact%'
                         /* Agregado Maximiliano Cittadini - 8-SEP-17 evita usuarios de servicio en Stealth */
                         AND
                         result_code .toLowerCase() IN ('ok')
                         AND 
                         b.user_dst .toLowerCase() != a.user_dst .toLowerCase()
                         AND
                         a.ip_src = b.ip_addr
                         AND
                         a.user_dst .toLowerCase() != b.user_dst .toLowerCase () || 'c'
                         /* Agregado Maximiliano Cittadini - 6-SEP-17 evita casos de usuarios
                         con el mismo nombre con la letra c agregada, por ejemplo:
                         USUARIO y USUARIOC */
                         )
               where timer:within(600 seconds)
     /* Modificacion Maximiliano Cittadini - 14-SEP-17 se cambia ventana de 3600 segundos a 120 segundos */
    /* Modificacion Maximiliano Cittadini - 19-SEP-17 se cambia ventana de 120 segundos a 600 segundos */
     ];‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

Could someone help me with this?

Regards,

Max

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2018-05-04 01:21 PM

Just in case that someone else has the same question, I've done the following rule:

module Module_00029252f2806281d24e2074;
/* 
Stealth - Login desde la misma IP con distinto usuario
*/
@Name('Module_00029252f2806281d24e2074_Alert')
@Description('Alerta para usario compartido en Stealth')
@RSAAlert(oneInSeconds=0)
SELECT * FROM PATTERN
@SuppressOverlappingMatches
     [
          EVERY ( a = Event(
                         device_type .toLowerCase() IN ('winevent_nic')
                         AND
                         ec_activity .toLowerCase() IN ('logon')
                         AND
                         ip_src IS NOT NULL
                         AND
                         user_dst .toLowerCase() NOT LIKE '%$'
                         AND
                         user_dst.toLowerCase() NOT LIKE 'fact%'
                         AND 
                         user_dst .toLowerCase() NOT IN ('rsa_dlp','anonymous logon')
                         AND
                         ec_outcome .toLowerCase() IN ('success'))
               ->  b = Event(
                         device_type .toLowerCase() IN ('stealth')
                         AND
                         b.user_dst .toLowerCase () NOT IN ('monstealth_2')
                         AND
                         b.user_dst .toLowerCase() NOT LIKE 'fact%'
                         AND
                         result_code .toLowerCase() IN ('ok')
                         AND 
                         b.user_dst .toLowerCase() != a.user_dst .toLowerCase()
                         AND
                         a.ip_src = b.ip_addr
                         AND
                         a.user_dst .toLowerCase() != b.user_dst .toLowerCase () || 'c'
                         ) 
          AND NOT Event (
                         ec_activity .toLowerCase() IN ('logoff')
                         AND
                         user_dst .toLowerCase()= a.user_dst .toLowerCase()
                         AND
                         device_type .toLowerCase() IN ('winevent_nic')
                         )
               
          )
     ];

View solution in original post

0 Likes
1 REPLY 1

Go to solution
MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2018-05-04 01:21 PM

Just in case that someone else has the same question, I've done the following rule:

module Module_00029252f2806281d24e2074;
/* 
Stealth - Login desde la misma IP con distinto usuario
*/
@Name('Module_00029252f2806281d24e2074_Alert')
@Description('Alerta para usario compartido en Stealth')
@RSAAlert(oneInSeconds=0)
SELECT * FROM PATTERN
@SuppressOverlappingMatches
     [
          EVERY ( a = Event(
                         device_type .toLowerCase() IN ('winevent_nic')
                         AND
                         ec_activity .toLowerCase() IN ('logon')
                         AND
                         ip_src IS NOT NULL
                         AND
                         user_dst .toLowerCase() NOT LIKE '%$'
                         AND
                         user_dst.toLowerCase() NOT LIKE 'fact%'
                         AND 
                         user_dst .toLowerCase() NOT IN ('rsa_dlp','anonymous logon')
                         AND
                         ec_outcome .toLowerCase() IN ('success'))
               ->  b = Event(
                         device_type .toLowerCase() IN ('stealth')
                         AND
                         b.user_dst .toLowerCase () NOT IN ('monstealth_2')
                         AND
                         b.user_dst .toLowerCase() NOT LIKE 'fact%'
                         AND
                         result_code .toLowerCase() IN ('ok')
                         AND 
                         b.user_dst .toLowerCase() != a.user_dst .toLowerCase()
                         AND
                         a.ip_src = b.ip_addr
                         AND
                         a.user_dst .toLowerCase() != b.user_dst .toLowerCase () || 'c'
                         ) 
          AND NOT Event (
                         ec_activity .toLowerCase() IN ('logoff')
                         AND
                         user_dst .toLowerCase()= a.user_dst .toLowerCase()
                         AND
                         device_type .toLowerCase() IN ('winevent_nic')
                         )
               
          )
     ];
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.