This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
JimHarbin
Beginner
Beginner
‎2011-07-18 02:36 PM

Users logging into unauthorized hosts

Trying to write a correlated rule that can alert me when a user from one location logs into a server at another one of our locations..

 

User:   s0623jhn

 

Good hosts:  server1.0623.domain.com and server2.0623.domain.com

Bad hosts: server1.1821.domains.com or server1.0626.domain.com

 

So... how can pull the 4 digit number from the user name and compare it to the 4 digit location number in the correlated rule?  Do I have to pull this number into a cache variable and then compare it to a regex of the host name?

 

help...

0 Likes
Reply
3 Replies
RSAAdmin
Beginner
Beginner
‎2011-07-19 08:21 AM

I don't think that it is possible to do this...when comparing a difference in variables you would use the cache variabled.  When you want to gather events with similar values then you would multi-thread.

 

There are some other issues...hostname is usually the short part of the FQDN, so in your cases it would be server1 and server2.  The data you are looking at would be part of domain or domain name which would be 0623.domain.com.  Since you are comparing only the 4 digits and you can't use LIKE, NOT LIKE, or Regex with cache variables, I don't think you will be able to do this alert.

 

Now, if history is any indication, Matt will probably have a way that you can do this and reply to this post

 

Regards,

 

Paul

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-19 04:02 PM

I'll reply, but I don't have a good solution at all. 

 

With no way to to do a cache variable comparison using the REGEX operator, there is no direct way to make the comparison with the numeric string in the middle of the username.

 

That said, if you can guarantee that the username is always in the format a0000aaa, where a is an alpha character and 0 is a numeric character, then you might be able to modify the actual device XML to strip out just the numbers.

 

The drawback to this is that you will no longer be able to read in the username as the full 8 character string.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-19 04:03 PM

I'll reply, but I don't have a good solution at all. 

 

With no way to to do a cache variable comparison using the REGEX operator, there is no direct way to make the comparison with the numeric string in the middle of the username.

 

That said, if you can guarantee that the username is always in the format a0000aaa, where a is an alpha character and 0 is a numeric character, then you might be able to modify the actual device XML to strip out just the numbers.

 

The drawback to this is that you will no longer be able to read in the username as the full 8 character string.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.