ESA - Wildcard in String Array
We have a need to look for wildcard matches in a string array within an ESA correlation alert.
I can get the string value to match using the syntax below, but need to get a wildcard match as we need to see matches of domains that match prior to this value.
Syntax for static match of 'maliciousdomain'. Need to get a wildcard to match anything before 'maliciousDomain'.
SELECT * FROM Event(
medium = 1
AND ('maliciousDomain' = ALL( alias_host )));
- Community Thread
- correlation rules
- ESA Rule
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
For this, you would need to use a lambda expression like the below to iterate through the elements in the array:-
SELECT * from Event(alias_host.AnyOf(a=> a.toLowerCase().contains('maliciousdomain')))
I added the java.lang.String Method toLowerCase() to make the match case insensitive but you can remove if it is not necessary.
This syntax can also be edited to use any operator, e.g.:-
SELECT * from Event(alias_host.AnyOf(a=> a LIKE '%maliciousdomain.com'))
Another way to do this would be outside of ESA entirely. You could create application rules on your packet decoders that specifically look for the domain of interest.
name=maliciousdomain rule="alias.host ends 'maliciousdomain.com'" alert=alert type=application
Then, just have ESA look for alert = 'maliciousdomain' since it will already be meta at that point.
You could also look for the root host for any and all sessions where alias.host is populated. I wrote a parser to help with that. The purpose being that if I wanted to exclude any domain, I could. This uses a custom meta key called 'root.host', so an index change on the concentrators would be needed if you wanted to query against it.
The parser works by performing a meta callback against 'alias.host' and then examining the location of all the dots in the hostname. It then compares the last position against the TLD's listed in a table and then moves to the left if found.
Since this is just performing a meta callback, it can work on both packet and log decoders.
this is it:
SELECT * from Event(
medium = 1
AND alias_host.AnyOf(a=> a LIKE '%maliciousDomain.com'));