NetWitness Community

RomanZeltser · ‎2017-01-31

Hi gurus,

As a new guy for RSA NetWitness, I would appreciate few minutes of your time spent to reply if you know the answer.

I have few SQL servers with a single service account (let's call it sql_acct) that must be used for all SQL servers instances. This account must be logged into only from the SQL servers, not from the workstations. How do I build the Alert logic that would alert me if the SQL server was managed from any workstation? #Alert Logic

EricPartington · ‎2017-02-01

the ESA language is included in my original post which you can copy and recreate as an application rule

the logon_type are explained here:

http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log

you can view the application rules from the link in my first post as well, then download via your RSA NW system (RSA Live > search > application rules). which you can use as a template to create something to model this requirement which you can then push to your log decoders.

something like this:

ec.activity = 'Logon' && ec.outcome = 'Success' && user.dst ='sql_act' && logon.type ='2','10','11','12' && device.class = 'Windows Hosts' && reference.id ='4624', '528', '540'

View solution in original post

EricPartington · ‎2017-02-01

There might be 2 ways to address this:

Application rule https://community.rsa.com/docs/DOC-61640

or

ESA Rule https://community.rsa.com/docs/DOC-43401

depending if you have ESA appliance or service you might start here and clone/modify this rule from RSA Live

Direct Login by a Guest Account

I might start by changing the account name to your 'sql_act' name (from the Guest* accounts) and then verify that the account you are looking for shows up in the event ID logs from MS in the 4624, 528 or 540 reference.id key to make sure this will trigger as you expect (check the windows logs you do have)

@Description('Successful/Remote Logon as a Guest onto Windows')
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
SELECT * FROM
    Event(
        medium = 32
        AND ec_activity = 'Logon'
        AND ec_outcome = 'Success'
        AND user_dst IN ('Guest' , 'guest' , 'GUEST')
        AND logon_type IN ('2','10','11','12')
        AND device_class = 'Windows Hosts'
        AND reference_id IN ('4624', '528', '540')

    );

you could also take a swing at an application rule using similar logic if you are getting windows logs.

RomanZeltser · ‎2017-02-01

Eric, thank you so much for your info. We have no ESA, and all SQL servers are Windows - based. Where can I download the Direct Login by a Guest Account rule?

Are 4624, 528 or 540 in reference.id key standard for Windows hosts? What the numbers in logon_type IN ('2','10','11','12') mean?

Thanks in advance.

EricPartington · ‎2017-02-01

the ESA language is included in my original post which you can copy and recreate as an application rule

the logon_type are explained here:

http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log

you can view the application rules from the link in my first post as well, then download via your RSA NW system (RSA Live > search > application rules). which you can use as a template to create something to model this requirement which you can then push to your log decoders.

something like this:

ec.activity = 'Logon' && ec.outcome = 'Success' && user.dst ='sql_act' && logon.type ='2','10','11','12' && device.class = 'Windows Hosts' && reference.id ='4624', '528', '540'

EarlMatthew · ‎2017-02-01

If you are creating a rule using the reporting engine, maybe something like this could work. You could create a list of all your SQL servers using ip or hostname then create this rule:

[Rule name]

Select: ip.src

Where: reference.id = '4624' && user.dst = 'sql_acct' && ip.src != /[listf SQL Servers]

Test it and use it in an alert. This is a very simple example so I guess you can play around with it to get exactly what you want.

RomanZeltser · ‎2017-02-02

Guys, thank you so much. I have used your recommendations, and, after some errors weeded out, I was able to get the report about sql account activities (I had to initiate the connections using this account to see the results). Now, I am going to create the list of SQL servers to be used for any future queries. I am planning to create the logic that would capture the event when someone tries to use the sql account from the workstation (not from the devices on the SQL servers list).

I am still fuzzy about how to download the rules from the RSA.

RomanZeltser · ‎2017-02-02

Earl, following your recommendation, I have successfully created the list of SQL servers. I have two questions:

1. When you create the list, do you use the hostnames or IP addresses?

2. When you create the rule where the lists are used, what is the correct syntax? The suggestion is: When you use the list you must specify in the format $[<path>/<List name>]. I used the following:

&& ip.src != /

Invalid Expression ip.src != /
SQL Servers

It looks like the <path> is required but how do I determine it?

EricPartington · ‎2017-02-02

in the reporting engine use the lists feature on the right to locate the list and insert it into your "where" clause of your rule

RomanZeltser · ‎2017-02-02

Cool! It does the job! Thank you!

RomanZeltser · ‎2017-02-02

Eric, while the report did not produce a syntax error (I am still not getting the data but empty page),

ec.activity = 'Logon' && ec.outcome = 'Success' && user.dst ='sql-acct' && device.class = 'Windows Hosts' && reference.id = '4624' && ip.src !=$[SQL Servers]

the same query used in Investigation generates and error

rule syntax error: expecting <IPv4 address> here: "$[SQL Servers])

the coma-separated IP addresses don't work either. It looks like the normal logic does not apply....

1. Yesterday, we RDP from workstation to another server (non-SQL) where the session was initiated using sq-acct

2. We are trying to catch the instances of login using that account from non-SQL server (as it is in our test case)

3. The report for the last day generates empty page:

What is wrong with our logic??

NetWitness Community

The logic behind the Alert?