This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Seeking the knowledge of the ESA guru's

KeithDixon
Beginner
Beginner

‎2015-08-25 03:47 PM

I am having some challenges (the nicest way to say it publicly) with ESA and thought it was time to ask the guru's and experts here.

I have created a total of 2 successful rules (basic rules mind you).

  • device_type is "AV device type"/"network based malware detection device type"
  • alert is meta1 (both rules fire with this same alert condition)

So, I try to configure an ESA alert for HIPS (same vendor as AV). I am unsuccessful at this.

Round 2, seemingly brilliant idea is born: follow the same logic as the current two working rules (device_type is and alert is..). It worked for the two successfully, right?


(Wrong btw)


I create an application rule to create to alert on the Alert meta, rule name "HIPS event".
I let this soak for a while and I can run a query in Investigation and under the Alert meta, I can see "hips event" (don't get me started on the case sensitivity issue). Ok, great. I'm on my way to saying "I have created 3 successful ESA alerts".



So I got from Mr. AV Vendor's website a file I can run similar to the EICAR file to test the HIPS functionality. I create the new HIPS ESA rule:

  • device_type is "AV device type" (HIPS events come in under this same device_type)
  • alert is "hips alert"

Run test file.

Nothing

It took me a while to realize "hips alert" and "HIPS alert" in the eyes of ESA are two different things. So, I discover this last night thinking I have truly discovered the ultimate secret and resolution to my headaches.

I make the change... I sync the change.

Same. result.

Nothing. (ESA alert, but the application rule created the desired alert name successfully "working as designed")

So.... what am I doing wrong?

0 Likes
3 REPLIES 3

YohannLepage
Beginner
Beginner

‎2015-08-26 02:28 AM

Could you c/c the rule in EPL ?

0 Likes

KeithDixon
Beginner
Beginner
In response to YohannLepage

‎2015-08-26 09:23 AM

  • Application_rule_A - Works flawlessly.
    • Building additional queries based off of "alert = Application_rule_A" has worked very successfully.
  • Application_rule_B - Works flawlessly.
    • This was my attempt to take a working query that provides solid data return
    • This was also to use the same concept where I could get the first 2 ESA rules working and triggering as expected and desired and use the same logic.
      • I tried an ESA simple rule based on the "Application_rule_B" logic to absolutely no success whatsoever.


Application rules:

 

Application_rule_A = "device.class='anti virus' && (event.cat='1003050000','1003040000','1003030000','1003020000','1003010000','1003000000' || event.cat.name begins 'Attacks.Malicious Code.')"

 

Application_rule_B = "device.type = AV_logsource && event.cat.name = 'attacks.malicious code.virus' && virusname !exists && event.desc != 'Potential risk found'"

 

ESA rules:

 

In "simple rule" format:

 

This one works successfully (first one):

 

If all conditions are met

Meta key

Evaluation type

Value

Is value An Array

device_type

is one of

AV_logsource

No

alert

is one of

Application_rule_A

No

 

This one works successfully (second one):

 

If all conditions are met

Meta key

Evaluation type

Value

Is value An Array

device_type

is one of

Other_logsource

No

alert

is one of

Application_rule_A

No

 

This one is the one that doesn't work and in every way possible, I cannot understand why:

 

If all conditions are met

Meta key

Evaluation type

Value

Is value An Array

device_type

is one of

AV_logsource

No

alert

is one of

Application_rule_B

No

 

UPDATED EDIT

To remove one small doubt I had, I'm going to edit the "Application_rule_B" to this:

 

Application_rule_B = "device.class='anti virus' && event.cat.name = 'attacks.malicious code.virus' && virusname !exists && event.desc != 'Potential risk found'"

 

I've got a test file that should initiate the application rule to fire at least.

0 Likes

KeithDixon
Beginner
Beginner
In response to KeithDixon

‎2015-08-26 03:39 PM

UPDATE # 2

  • Application rule updated to this:
    • device.class='anti virus' && event.cat.name = 'attacks.malicious code.virus' && virusname !exists && event.desc != 'Potential risk found'
  • Application rule works successfully
  • It populates the Alert meta with the desired value
  • I stopped and restarted logdecoder service as well (when in doubt)

 

So, time for an ESA test, right?


Application_rule_B =

  • device.class='anti virus' && event.cat.name = 'attacks.malicious code.virus' && virusname !exists && event.desc != 'Potential risk found'

 

ESA rule =

 

If all conditions are met

Meta key

Evaluation type

Value

Is value An Array

device_type

is one of

AV_logsource

No

alert

is one of

Application_rule_B

No

 

Test results?

  • Zip
  • zero
  • zilch
  • nada
  • nothing
  • goose egg
  • snake eyes
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.