Jim Harbin

Users logging into unauthorized hosts

Discussion created by Jim Harbin on Jul 18, 2011
Latest reply on Jul 19, 2011 by RSA Admin

Trying to write a correlated rule that can alert me when a user from one location logs into a server at another one of our locations..


User:   s0623jhn


Good hosts:  server1.0623.domain.com and server2.0623.domain.com

Bad hosts: server1.1821.domains.com or server1.0626.domain.com


So... how can pull the 4 digit number from the user name and compare it to the 4 digit location number in the correlated rule?  Do I have to pull this number into a cache variable and then compare it to a regex of the host name?