AnsweredAssumed Answered

RSA SA ESA advanced rule contains operator

Question asked by go4lUa1mL0I2Tzs9lENhdlfZmfZCgWJByWLRDiaaVSw= on May 2, 2016
Latest reply on May 6, 2016 by David Waugh

I created a ESA advanced rule to detect command "monitor session" from Cisco ACS device. The rule requirement is simply, but i have to use Advanced one, because meta "Action" is an array.

 

Here below the code, I got it from other post. I can sync to ESA, but it doesnt seems working. No alert is generated. Where is going wrong? please help

 

Thanks a lot

 

***********************************************

 

SELECT * FROM Event WHERE

action.anyOf(i => i.contains("monitor session")) and device_type IN ('ciscosecureacs');

 

***********************************************

 

Log sample:

 

Apr 28 17:07:01 PP-26-CM5-ACS-01 CSCOacs_TACACS_Accounting 0000607119 1 0 2016-04-28 17:07:01.947 +08:00 0000342367 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ACSVersion=acs-5.6.0.22-B.225, ConfigVersionId=12, Device IP Address=172.22.23.22, CmdSet=[ CmdAV=no monitor session 1 destination interface FastEthernet 0 21 <cr> ], RequestLatency=0, Type=Accounting, Privilege-Level=1, Service=Login, User=admin, Port=tty1, Remote-Address=172.22.22.25, Authen-Method=TacacsPlus, AVPair=task_id=1067, AVPair=start_time=1461834421, AVPair=timezone=(HKT), AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=PP-26-CM5-ACS-01/250224432/26667, SelectedAccessService=Default Device Admin, Step=13006 , Step=15008 , Step=15004 , Step=15012 , Step=13035 , NetworkDeviceName=remote-sw2, NetworkDeviceGroups=Device Type:All Device Types:HK_Cisco_Switch, NetworkDeviceGroups=Location:All Locations:DR, Response={Type=Accounting; AcctReply-Status=Success; }

Outcomes