NetWitness Community

rlaczkowski · ‎2019-05-27

Could someone tell me why this rule is creating alerts while the second one is not working?

@RSAAlert(oneInSeconds=0)
SELECT * FROM pattern [
   a=Event(reference_id.toLowerCase() IN ( '4663' ))
   ->
   every b=Event(reference_id.toLowerCase() IN ( '4660' ) AND user_dst = a.user_dst AND reference_id1 = a.reference_id1)
]
.win:time_length_batch(1 Minutes, 2)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

@Audit
@Name('NormalizedWindow') CREATE WINDOW FileDeleteEvents.win:time_length_batch(1 Minute, 30)(reference_id String, reference_id1 String, obj_name String, user_dst String);

@Audit
INSERT INTO FileDeleteEvents
SELECT * FROM pattern [
   a=Event(reference_id.toLowerCase() IN ( '4663' ))
   ->
   every b=Event(reference_id.toLowerCase() IN ( '4660' ) AND user_dst = a.user_dst AND reference_id1 = a.reference_id1) 
];

@Audit
@RSAAlert(oneInSeconds=0)
SELECT * FROM FileDeleteEvents()
GROUP BY user_dst
HAVING COUNT(*)=30
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I would like to aggregate 30 pairs of events which will stand for 30 files delete on windows file server. I need to find a pair of events because windows 4660 event does not contain filename in the log. Both events are connected by fields reference_id1 and user_dst.

Here are test data and audit log files from esa attached, where we can see that events are matched and put into the window but alert is not being created.

I have also tried to crate rule using MATCH_RECOGNIZE but i do not know how to compare reference_id1 for each matched pair of events instead of all matched events.

@Name('')
@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(
    (reference_id.toLowerCase() IN ( '4660' ))
    OR
    (reference_id.toLowerCase() IN ( '4663' ))
).win:time(1 Minutes)

MATCH_RECOGNIZE(
PARTITION BY user_dst
MEASURES A as a_array , B as b_array
    PATTERN ((A B) {30})
DEFINE
    A as (A.reference_id.toLowerCase() IN ( '4663' )),
    B as (B.reference_id.toLowerCase() IN ( '4660' ) AND B[0-30].user_dst = A[0-30].user_dst AND B[0-30].reference_id1 = A[0-30].reference_id1)
);‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Here are log samples because AV thinks it is a virus

%NICWIN-4-Security_4663_Microsoft-Windows-Security-Auditing: Security,rn=64829066 cid=76 eid=4,Wed May 22 06:22:17 2019,4663,Microsoft-Windows-Security-Auditing,,Audit Success,servername,File System,,An attempt was made to access an object.  Subject:  Security ID:  S-1-5-21-4159830460-4225010093-4289151508-2798  Account Name:  testuser  Account Domain:  domain.local  Logon ID:  0x2675ffaf  Object:  Object Server: Security  Object Type: File  Object Name: D:\TEST\tes_file.asd  Handle ID: 0x15a4  Process Information:  Process ID: 0x4  Process Name:   Access Request Information:  Accesses: DELETE       Access Mask: 0x10000
%NICWIN-4-Security_4660_Microsoft-Windows-Security-Auditing: Security,rn=64829067 cid=76 eid=4,Wed May 22 06:22:17 2019,4660,Microsoft-Windows-Security-Auditing,,Audit Success,servername,File System,,An object was deleted.  Subject:  Security ID:  S-1-5-21-4159830460-4225010093-4289151508-2798  Account Name:  testuser  Account Domain:  domain.local  Logon ID:  0x2675ffaf  Object:  Object Server: Security  Handle ID: 0x15a4  Process Information:  Process ID: 0x4  Process Name:   Transaction ID: {00000000-0000-0000-0000-000000000000}‍‍

LeeKirkpatrick · ‎2019-05-28

Hey Rafal,

I am not 100% sure if this is the issue as I haven't had a chance to test, but I would make sure that you are selecting the data you want to insert into your window from the PATTERN statement, an example is below - otherwise, nulls will be inserted:

@Name('NormalizedWindow') CREATE WINDOW FileDeleteEvents.win:time_length_batch(1 Minute, 30)(reference_id String, reference_id1 String, obj_name String, user_dst String);


INSERT INTO FileDeleteEvents
SELECT a.reference_id as reference_id, a.reference_id1 as reference_id1, a.obj_name as obj_name, a.user_dst as user_dst FROM pattern [
a=Event(reference_id IN ( '4663' ))
->
every b=Event(reference_id IN ( '4660' ) AND user_dst = a.user_dst AND reference_id1 = a.reference_id1) 
];


@RSAAlert(oneInSeconds=0)
SELECT * FROM FileDeleteEvents()
GROUP BY user_dst
HAVING COUNT(*)=30‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Cheers,

Lee

View solution in original post

LeeKirkpatrick · ‎2019-05-28

Hey Rafal,

I am not 100% sure if this is the issue as I haven't had a chance to test, but I would make sure that you are selecting the data you want to insert into your window from the PATTERN statement, an example is below - otherwise, nulls will be inserted:

@Name('NormalizedWindow') CREATE WINDOW FileDeleteEvents.win:time_length_batch(1 Minute, 30)(reference_id String, reference_id1 String, obj_name String, user_dst String);


INSERT INTO FileDeleteEvents
SELECT a.reference_id as reference_id, a.reference_id1 as reference_id1, a.obj_name as obj_name, a.user_dst as user_dst FROM pattern [
a=Event(reference_id IN ( '4663' ))
->
every b=Event(reference_id IN ( '4660' ) AND user_dst = a.user_dst AND reference_id1 = a.reference_id1) 
];


@RSAAlert(oneInSeconds=0)
SELECT * FROM FileDeleteEvents()
GROUP BY user_dst
HAVING COUNT(*)=30‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Cheers,

Lee

rlaczkowski · ‎2019-05-28

Hi Lee,

Thank you very much. Selecting exact data in select statement solved the problem. Now rule is generating alerts as expected.

Cheers,

Rafal

NetWitness Community

Why this esa rule is not creating alerts