AnsweredAssumed Answered

Why this esa rule is not creating alerts

Question asked by rafal laczkowski on May 27, 2019
Latest reply on May 28, 2019 by rafal laczkowski

Could someone tell me why this rule is creating alerts while the second one is not working?

@RSAAlert(oneInSeconds=0)
SELECT * FROM pattern [
   a=Event(reference_id.toLowerCase() IN ( '4663' ))
   ->
   every b=Event(reference_id.toLowerCase() IN ( '4660' ) AND user_dst = a.user_dst AND reference_id1 = a.reference_id1)
]
.win:time_length_batch(1 Minutes, 2)

 

 

@Audit
@Name('NormalizedWindow') CREATE WINDOW FileDeleteEvents.win:time_length_batch(1 Minute, 30)(reference_id String, reference_id1 String, obj_name String, user_dst String);

@Audit
INSERT INTO FileDeleteEvents
SELECT * FROM pattern [
   a=Event(reference_id.toLowerCase() IN ( '4663' ))
   ->
   every b=Event(reference_id.toLowerCase() IN ( '4660' ) AND user_dst = a.user_dst AND reference_id1 = a.reference_id1)
];

@Audit
@RSAAlert(oneInSeconds=0)
SELECT * FROM FileDeleteEvents()
GROUP BY user_dst
HAVING COUNT(*)=30

 

I would like to aggregate 30 pairs of events which will stand for 30 files delete on windows file server. I need to find a pair of events because  windows 4660 event does not contain filename in the log. Both events are connected by fields reference_id1 and user_dst.

 

Here are test data and audit log files from esa attached, where we can see that events are matched and put into the window but alert is not being created.

 

I have also tried to crate rule using MATCH_RECOGNIZE but i do not know how to compare reference_id1 for each matched pair of events instead of all matched events.

 

@Name('')
@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(
    (reference_id.toLowerCase() IN ( '4660' ))
    OR
    (reference_id.toLowerCase() IN ( '4663' ))
).win:time(1 Minutes)

MATCH_RECOGNIZE(
PARTITION BY user_dst
MEASURES A as a_array , B as b_array
    PATTERN ((A B) {30})
DEFINE
    A as (A.reference_id.toLowerCase() IN ( '4663' )),
    B as (B.reference_id.toLowerCase() IN ( '4660' ) AND B[0-30].user_dst = A[0-30].user_dst AND B[0-30].reference_id1 = A[0-30].reference_id1)
);

 

Here are log samples because AV thinks it is a virus

%NICWIN-4-Security_4663_Microsoft-Windows-Security-Auditing: Security,rn=64829066 cid=76 eid=4,Wed May 22 06:22:17 2019,4663,Microsoft-Windows-Security-Auditing,,Audit Success,servername,File System,,An attempt was made to access an object.  Subject:  Security ID:  S-1-5-21-4159830460-4225010093-4289151508-2798  Account Name:  testuser  Account Domain:  domain.local  Logon ID:  0x2675ffaf  Object:  Object Server: Security  Object Type: File  Object Name: D:\TEST\tes_file.asd  Handle ID: 0x15a4  Process Information:  Process ID: 0x4  Process Name:   Access Request Information:  Accesses: DELETE       Access Mask: 0x10000
%NICWIN-4-Security_4660_Microsoft-Windows-Security-Auditing: Security,rn=64829067 cid=76 eid=4,Wed May 22 06:22:17 2019,4660,Microsoft-Windows-Security-Auditing,,Audit Success,servername,File System,,An object was deleted.  Subject:  Security ID:  S-1-5-21-4159830460-4225010093-4289151508-2798  Account Name:  testuser  Account Domain:  domain.local  Logon ID:  0x2675ffaf  Object:  Object Server: Security  Handle ID: 0x15a4  Process Information:  Process ID: 0x4  Process Name:   Transaction ID: {00000000-0000-0000-0000-000000000000}

Attachments

Outcomes