Hi gurus,
As a new guy for RSA NetWitness, I would appreciate few minutes of your time spent to reply if you know the answer.
I have few SQL servers with a single service account (let's call it sql_acct) that must be used for all SQL servers instances. This account must be logged into only from the SQL servers, not from the workstations. How do I build the Alert logic that would alert me if the SQL server was managed from any workstation? #Alert Logic
There might be 2 ways to address this:
Application rule https://community.rsa.com/docs/DOC-61640
or
ESA Rule https://community.rsa.com/docs/DOC-43401
depending if you have ESA appliance or service you might start here and clone/modify this rule from RSA Live
Direct Login by a Guest Account
I might start by changing the account name to your 'sql_act' name (from the Guest* accounts) and then verify that the account you are looking for shows up in the event ID logs from MS in the 4624, 528 or 540 reference.id key to make sure this will trigger as you expect (check the windows logs you do have)
@Description('Successful/Remote Logon as a Guest onto Windows')
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
SELECT * FROM
Event(
medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND user_dst IN ('Guest' , 'guest' , 'GUEST')
AND logon_type IN ('2','10','11','12')
AND device_class = 'Windows Hosts'
AND reference_id IN ('4624', '528', '540')
);
you could also take a swing at an application rule using similar logic if you are getting windows logs.
Eric, thank you so much for your info. We have no ESA, and all SQL servers are Windows - based. Where can I download the Direct Login by a Guest Account rule?
Are 4624, 528 or 540 in reference.id key standard for Windows hosts? What the numbers in logon_type IN ('2','10','11','12') mean?
Thanks in advance.
the ESA language is included in my original post which you can copy and recreate as an application rule
the logon_type are explained here:
you can view the application rules from the link in my first post as well, then download via your RSA NW system (RSA Live > search > application rules). which you can use as a template to create something to model this requirement which you can then push to your log decoders.
something like this:
ec.activity = 'Logon' && ec.outcome = 'Success' && user.dst ='sql_act' && logon.type ='2','10','11','12' && device.class = 'Windows Hosts' && reference.id ='4624', '528', '540'
If you are creating a rule using the reporting engine, maybe something like this could work. You could create a list of all your SQL servers using ip or hostname then create this rule:
[Rule name]
Select: ip.src
Where: reference.id = '4624' && user.dst = 'sql_acct' && ip.src != /[listf SQL Servers]
Test it and use it in an alert. This is a very simple example so I guess you can play around with it to get exactly what you want.
Earl, following your recommendation, I have successfully created the list of SQL servers. I have two questions:
1. When you create the list, do you use the hostnames or IP addresses?
2. When you create the rule where the lists are used, what is the correct syntax? The suggestion is: When you use the list you must specify in the format $[<path>/<List name>]. I used the following:
&& ip.src != /[LIST] SQL but this statement generated an error Invalid Expression ip.src != /[LIST] SQL Servers
It looks like the <path> is required but how do I determine it?
in the reporting engine use the lists feature on the right to locate the list and insert it into your "where" clause of your rule
Cool! It does the job! Thank you!
Eric, while the report did not produce a syntax error (I am still not getting the data but empty page),
ec.activity = 'Logon' && ec.outcome = 'Success' && user.dst ='sql-acct' && device.class = 'Windows Hosts' && reference.id = '4624' && ip.src !=$[SQL Servers]
the same query used in Investigation generates and error
rule syntax error: expecting <IPv4 address> here: "$[SQL Servers])
the coma-separated IP addresses don't work either. It looks like the normal logic does not apply....
1. Yesterday, we RDP from workstation to another server (non-SQL) where the session was initiated using sq-acct
2. We are trying to catch the instances of login using that account from non-SQL server (as it is in our test case)
3. The report for the last day generates empty page:
What is wrong with our logic??
what does your list $[SQL Servers] look like ?
what values are in there ? hostnames or IP addresses ?
IP addresses only
ok two things..
you cannot use the $List in investigator, that is only available in the reporting engine. So the red error above is correct if you are trying to use that in investigator. To test out your login in Investigator take the list and put them like this...
ip.src!=ip,ip2,ip3,ip4
if that returns you results as you expect then you know your logic works. once you have that sorted out you can the test your reporting logic (i would also check off the box for use relative time calculation in Reporting engine)
Great. Perhaps, I know that my system is functioning correctly, and this is a simple syntax error.
Yes, the sequence of IP Addresses in the Investigate does not generate a syntax error and actually produces the result.
However, the reporting module does not do the same even if I replace the SQL List with the sequence of IP addresses (like in the Investigate). The empty page again…
I have checked off the box for use relative time calculation and tried last day and two last days with the same result. The test was performed yesterday in the middle of the day, around 1-2 PM.
Something else is missing (or excess statement in the query)…
===============
Roman Zeltser
Sr. IM Security Analyst
CDR Associates
307 International Circle
Suite 300
Hunt Valley, MD 21030
P: 410-560-2269 x.1261
rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>
Guys, thank you so much. I have used your recommendations, and, after some errors weeded out, I was able to get the report about sql account activities (I had to initiate the connections using this account to see the results). Now, I am going to create the list of SQL servers to be used for any future queries. I am planning to create the logic that would capture the event when someone tries to use the sql account from the workstation (not from the devices on the SQL servers list).
I am still fuzzy about how to download the rules from the RSA.
the ESA language is included in my original post which you can copy and recreate as an application rule
the logon_type are explained here:
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
you can view the application rules from the link in my first post as well, then download via your RSA NW system (RSA Live > search > application rules). which you can use as a template to create something to model this requirement which you can then push to your log decoders.
something like this:
ec.activity = 'Logon' && ec.outcome = 'Success' && user.dst ='sql_act' && logon.type ='2','10','11','12' && device.class = 'Windows Hosts' && reference.id ='4624', '528', '540'