I'm trying to create an alert and report for situation where a user is changing his privileges by impersonating another user/account. We have alert/ on users going in as a service account or misusing a colleagues account.
I was hoping to use a query as usr.src != usr.dst but this does not seem to work as the syntax does not allow this
How can i do this.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Unfortunately, when working with queries, you can't do a comparison of two keys. They would have to be against values like "user.src = 'jsmith' && user.dst !='jsmith'".
However, you could do this with a Lua parser to compare the values. Please note there may be legitimate reasons for this activity such as when accounts get created, etc. Furthermore, usernames might come across differently based on the event sources. Some logs may have the full domain such as 'EVILCORP\jsmith' or 'email@example.com'. Some may have the source in one format and the dest in another.
Below is a quick parser that I wrote up after reading the post. It would need to be tested first to see if it lines up with your use-cases. Would likely need to be tuned to your environment but could be something to get you started.
-- Step 1 - Create parser
local lua_account_diff = nw.createParser("lua_account_diff", "Detect differences in account usage")
Detect differences in account usage
2017-07-03 - Initial development
-- Step 2 - Define meta keys to write meta into
-- declare the meta keys we'll be registering meta with
-- Step 4 - Do SOMETHING once your token matched
-- Reset global variables at the beginning of a session.
usersrc = nil
userdst = nil
if user == userdst then
usersrc = user
if user == usersrc then
userdst = user
-- Step 3 - Define tokens that get you close to what you want
-- declare what tokens and events we want to match.
-- These do not have to be exact matches but just get you close to the data you want.
[nwevents.OnSessionBegin] = lua_account_diff.sessionBegin,
[nwlanguagekey.create("user.src", nwtypes.Text)] = lua_account_diff.userSRC,
[nwlanguagekey.create("user.dst", nwtypes.Text)] = lua_account_diff.userDST,
If you have ESA and are at 10.6.3+ then you can use a comparison between two values to get what you are looking for.
In the ESA Alert window when you create rule entries you can use the correlation type and then add the two meta values to compare in the following two columns to get the comparison that you are looking for.