NetWitness Community

RenatoGoncalves · ‎2018-03-14

Hello,

We have an incident rule to check the logins across multiple servers but we need to remove a specific user or specif login, an Exchange Health Mailbox. Does anyone now how i can remove his appearance?

This is how we have the rule:

But it still give us the logins from HealthMailbox.

Many Thanks

EricaChalfin · ‎2018-03-14

j2iBRTJCUKR3JAh2yPVOkmdUKjcLBNaD4eYHhgvfjBM=‌,

I've moved your question to the https://community.rsa.com/community/products/netwitness?sr=search&searchId=3e870f61-7737-4c57-9001-4bbd300d1981&searchIndex=0‌ space so you can get an answer from one of our support engineers or customers who have faced a smilar issue.

In the future please be sure to post your https://community.rsa.com/community/products/netwitness?sr=search&searchId=f84bb421-721f-4c5c-9972-3c328bb2e7a7&searchIndex=0‌-specific questions to this forum.

Regards,

Erica

RenatoGoncalves · ‎2018-03-16

Hello Erica,

Thanks, but i cant find the question in RSA Netwitness Suite....

RenatoGoncalves · ‎2018-03-19

Does anyone know how to do this?

robertofasciani · ‎2018-03-22

Hello Renato,

to remove a specific user you need to edit (create a new advanced EPL) 'Logins across Multiple Servers' rule and add

user_dst NOT IN ('user to remove').

For example:

/*
Version: 2
*/
module Module_esa000111;

@Name('Module_esa000111_Alert')
@Description('Detects logins from the same user across 3 or more separate servers within 5 minutes. The time window and number of unique destinations are configurable.')
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

SELECT * FROM
           Event(
               ec_activity='Logon'
           AND
               ip_dst IS NOT NULL
           AND
               user_dst IS NOT NULL
           AND
               user_dst NOT IN ('HealthMailbox')
           ).std:groupwin(user_dst).win:time_length_batch(300 seconds, 3).std:unique(ip_dst) group by user_dst having count(*) = 3;

@Name('Module_esa000111_Alert')
@Description('Detects logins from the same user across 3 or more separate servers within 5 minutes. The time window and number of unique destinations are configurable.')
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

SELECT * FROM
           Event(
               ec_activity='Logon'
           AND
               host_dst IS NOT NULL
           AND
               user_dst IS NOT NULL
           AND
               user_dst NOT IN ('HealthMailbox')
           ).std:groupwin(user_dst).win:time_length_batch(300 seconds, 3).std:unique(host_dst) group by user_dst having count(*) = 3;

PedroQueiros · ‎2018-03-22

Hello Roberto,

is there a way to do this, but using a list of users? E.g. "user_dst NOT IN ('{SOME_POINTER_TO_A_LIST}')"

The idea is not having to refresh the rule everytime we need an exclusion, but just updating some list (whitelist?).

Thank you for your help!

Kind Regards,

Pedro Queirós

robertofasciani · ‎2018-03-26

Shure, you have to configure a In_memory tables Alerting: Configure In-Memory Table as Enrichment Source and you will have to change the rule:

@UsesEnrichment(name= 'SOME_POINTER_TO_A_LIST')

@Name('Module_esa000111_Alert')
@Description('Detects logins from the same user across 3 or more separate servers within 5 minutes. The time window and number of unique destinations are configurable.')
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

SELECT * FROM
           Event(
               ec_activity='Logon'
           AND
               host_dst IS NOT NULL
           AND
               user_dst IS NOT NULL
           AND NOT EXISTS
       ( SELECT * FROM SOME_POINTER_TO_A_LIST
       WHERE ( Event.user_dst = Username )
           ).std:groupwin(user_dst).win:time_length_batch(300 seconds, 3).std:unique(host_dst) group by user_dst having count(*) = 3;

NetWitness Community

Remove User - Incidents Rules