ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
1448 views

## Big Challenge: Create a rule to to detect all privileged user accounts not blocked after 60 days of inactivity

Hi all,

We have a big problem to create this rule.

We have a list of all user which are privileged user. This user list is store in an active list.

We have created a rule to update this active list, each time a new user, which was not in the list before.

So our active list contains 2 fields:

Target Username ==> Wich is a privileged user

End Time ==> which is the last time we saw the user logged on the system.

Now, our idea is to create another correlation rule, scheduled one time each day, to analyze the active list and calculate if the current day less the End Time (which is in the active list) is equal to 60.

Current day - End Time = 60

If the operation is equal to 60 we will trigger an alert.

The big problem it seems that with arcsight we are not able to use a value present in an active list, to use it in a condition

Do you have any idea?????

1 Solution

Accepted Solutions

You should be able to use the result without a problem, you just use the AL entry variable name in your math equation.  You can also alert on any AL event using the device event class ID:

Name                                    Device Event Class ID               DEC - Device Event Category

Active list entry deleted             activelist:102                             /ActiveList/Delete

Active list updated                    activelist:103                             /ActiveList/Update

Active list entry expired             activelist:104                            /ActiveList/Expire

Active list entry evicted             activelist:105                            /ActiveList/Evict

So just look for that and upon that firing, delete it from the AL - one caveat though - when the entry expires it sticks all the data into a single field (flexString1 I think) and it's delimited by a pipe (|) so you'll have to use substring functions to parse out the data you want basically - substring(0,getIndexOf(ALentry)) and do that over and over and over again

If you need a good example of doing that, time math, and rules firing on rules, I highly recommend Ben Spader and Scott Parkinson's presentation from protect '09 - it's available here:  https://protect724.arcsight.com/docs/DOC-1167

19 Replies

It sounds like you want to use the GetActiveListValue variable function - it'll grab a specified field from an AL.  The only caveat is you have to create the AL with a key field(s) which will require you to recreate your AL.

Here's some pictures to help explain what I'm talking about.

Absent Member.

This is how I might tackle this use case. There are a number of things you could do with the data but will keep this fairly focused to what I think you are trying to do. Create one active list that has all of your privileged user names with a time to live (TTL) of 0; they don't expire. Create a rule that adds the user names when they are used (per Chris' post you will need to use the getActiveListValue variable) to a different AL to track last use. Set the TTL on this one to 60 days and really all you need is the user name field but that will need to be indexed so throw in some random string field or something. Create yet another rule to look for names that fall off your 6 month TTL AL to then add those names to your inactive "watch list" with a TTL of probably 0. Finally you have your last rule where you look for login events (failed or successful) where the user name is on this last list which then does whatever: send a notification, run a script to max out their credit cards, format the server they are logging onto, etc

Seems like a lot of rules and it sort of is but /shrug. From a development perspecitve you can adjust that 60 day TTL AL to something like 1 minute for testing and once you are satisfied can adjust it back out to 60 days w/o having to recreate everything.

So with the getactivelistvalue() function, I could obtain my date. That sound great.

But if I understand correctly, I can't use the result of the function to make my operation Today_time - Value_return_by_getactivelistvalue.

Using the TTL function is a great solution

Because now I have created a correlation rule to populate and maintain up-to-date my AL with all Privileged User and Date of login.

Using the TTL, only the user wich have no activity will be deleted from my AL.

But can I trigger an alert if Arcsight saw that because the TTL expired it can remove the user from the Access List?

In that case, it means that I'll be aware that an Old User with 60 should be removed

You should be able to use the result without a problem, you just use the AL entry variable name in your math equation.  You can also alert on any AL event using the device event class ID:

Name                                    Device Event Class ID               DEC - Device Event Category

Active list entry deleted             activelist:102                             /ActiveList/Delete

Active list updated                    activelist:103                             /ActiveList/Update

Active list entry expired             activelist:104                            /ActiveList/Expire

Active list entry evicted             activelist:105                            /ActiveList/Evict

So just look for that and upon that firing, delete it from the AL - one caveat though - when the entry expires it sticks all the data into a single field (flexString1 I think) and it's delimited by a pipe (|) so you'll have to use substring functions to parse out the data you want basically - substring(0,getIndexOf(ALentry)) and do that over and over and over again

If you need a good example of doing that, time math, and rules firing on rules, I highly recommend Ben Spader and Scott Parkinson's presentation from protect '09 - it's available here:  https://protect724.arcsight.com/docs/DOC-1167

Absent Member.

The active list expiration audit event you are looking for is

AND

deviceEventClassId = activelist:104

fileName =

deviceCustomString4 has a pipe delimited string that contains the full record of what expired off the list. It is likely you will have to do some variable work to manipulate that depending on how many fields you have in the active list and which field you are trying to grab.

Thanks all,

Now I can retriver the field which expired from my Activelist

The field is located on

DeviceCustomString4 variable.

The cotnent of the field is

SYSTEM|null

I would like to extract the SYSTEM substring. in a variable.

Because what I need to do now is:

- Extracting the name before the |null ==> so obtaining SYSTEM

and use this extracted String to show if the value is present in another activelist whihc contains the Blocked People.

I ve a second correlation rules to match on

DeviceEventCategory = /activelist/expire

DeviceEventClassID = activelist:104

Filename = PrivilegedUser   ===> which is the name of the activelist which is updated by my rule with the TTL.

Now I don't see how I can use the deviceCustomString4 for my other rule.

I've read something with Velocity EXpression but I don't know its usage

You'll need to create variables utilizing substring and indexOf to parse out the fields, so for example:

deviceCustomString4 = "pokemon|pikachu|3 march 2011"

You'd do the following to parse out the fields utilizing variables:

getFirstIndex = index_of(|,deviceCustomString4) //result = 8

getFirstField = substring(deviceCustomString4,0,getFirstIndex) //result = pokemon

addOneFirst = add(getFirstIndex,1) // We do this to go past the delimiter

getRemainingFields1 = substring(deviceCustomString4,addOneFirst,-1) // take everything after the delimiter and save it in the new variable, the -1 tells it to go to the end - the result is "pikachu|3 march 2011"

getSecondIndex = index_of(|,getRemainingFields1) // result = 8

Rinse and repeat until all fields are parsed.

Make sense?

Thanks again,

I'll guess I need to use the String function.

But how I can use my variable in my condition?

For example, with the string function I've extracted the user Pokemon.

So now, my getname variable contains Pokemon.

I would like to use a condition

And

Target name = Getname

isinactivelist(myUserList)