AnsweredAssumed Answered

Question about ESA Rule

Question asked by Maximiliano Cittadini on May 2, 2018
Latest reply on May 4, 2018 by Maximiliano Cittadini

I have created the following ESA rule to detect whenever a user log on into a windows machine and then logs into other system (called Stealth) with another username within a period of 600 seconds. The rule works fine, but I missed something, the rule triggers even if the user logoff the machine and other user login.

I think the rule logic maybe something like:

Event A: User Logon

Event B: User Logoff

Event C: Other User log on to Stealth from the same IP.

And the pattern may be something like: A followed by C but only if B don't occurs before C

My current rule is:

module Module_00029252f2806281d24e2073;
Stealth - Login desde la misma IP con distinto usuario

@Description('Alerta para usario compartido en Stealth')

          EVERY a = Event(
                         device_type .toLowerCase() IN ('winevent_nic')
                         ec_activity .toLowerCase() IN ('logon')
                         ip_src IS NOT NULL
                         user_dst .toLowerCase() NOT LIKE '%$'
                         user_dst.toLowerCase() NOT LIKE 'fact%'
                         user_dst .toLowerCase() NOT IN ('rsa_dlp','anonymous logon')
                         /* Agregado Maximiliano Cittadini - 6-SEP-17 evita usuarios de servicio en Windows*/
                         ec_outcome .toLowerCase() IN ('success'))
               -> b = Event(
                         device_type .toLowerCase() IN ('stealth')
                         b.user_dst .toLowerCase () NOT IN ('monstealth_2')
                         b.user_dst .toLowerCase() NOT LIKE 'fact%'
                         /* Agregado Maximiliano Cittadini - 8-SEP-17 evita usuarios de servicio en Stealth */
                         result_code .toLowerCase() IN ('ok')
                         b.user_dst .toLowerCase() != a.user_dst .toLowerCase()
                         a.ip_src = b.ip_addr
                         a.user_dst .toLowerCase() != b.user_dst .toLowerCase () || 'c'
                         /* Agregado Maximiliano Cittadini - 6-SEP-17 evita casos de usuarios
                         con el mismo nombre con la letra c agregada, por ejemplo:
                         USUARIO y USUARIOC */

               where timer:within(600 seconds)
     /* Modificacion Maximiliano Cittadini - 14-SEP-17 se cambia ventana de 3600 segundos a 120 segundos */
    /* Modificacion Maximiliano Cittadini - 19-SEP-17 se cambia ventana de 120 segundos a 600 segundos */


Could someone help me with this?