Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..
768 views

Rule to read from ActiveList

Jump to solution

Hi,

I have a rule that is filling an active list with information about logins. Now i need to read from the Active List and send a notification when a specific entries exist, in a specific time interval (24 hours).

I could have used the same rule, and configure aggregation, but as I understand, it's not recommended to use aggregation for more than 5 minutes interval as this will add up the memory resources, so it's better to fill the active list and then read.

What i know is I should us a Rule to send a notification, but how to read from ActiveList?

This is the Active List that i have:

Target Username, Attacker address, Attacker Country, Creation Time, Last Modified Time, Count

The Last 3 field are auto generated by the active list, and i need to compare if the same user has logged in from different countries, in the last 24 hours, which is the "last modified time".

Regards,

Mustapha
Labels (1)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Rule to read from ActiveList

Jump to solution

Hello Mustapha,

If the Active List you are using is only relevant to your scenario (and not other parts of the SIEM), then just set the expiration interval for your entries to 24 hours. This way you would have the following scenario:

1. Successful Login event from user1 from country1 - add it to Active List and set expiration period for 24 hours (here you need your first rule, to populate the Active List)

2. If within those 24 hours you get another Login event from user1 but from country2, then trigger your alert - here you need a second rule that continuously looks for Login events, and when it gets one it compares the values from the Login event to the values from the Active List

3. If within those 24 hours you get another Login event from user1 but from country1, then just update the "Last Modified Time" field - this should be done automatically by the rule adding Login information to your Active List (the same rule you would use for point 1); so nothing more to do here

4. If within 24 hours nothing relevant happens, then the entry will be deleted and the process will start all over again with the first new Login of user1

I hope I understood your scenario correctly; if so, I think the solution above should work.

All the best,

Stefan

View solution in original post

0 Likes
12 Replies
Highlighted
Frequent Contributor.. Frequent Contributor..
Frequent Contributor..

Re: Rule to read from ActiveList

Jump to solution

I think you have to create a sesion list to save the microsoft authentication login successful and feed this session list by a correlation rule.

Then you can create another rule looking for microsoft login and use local variables type GetSessionData to match the authentication data. if its matched with the user name and diferent country then trigger a correlation event.

Regards

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Rule to read from ActiveList

Jump to solution

Hello Mustapha,

If the Active List you are using is only relevant to your scenario (and not other parts of the SIEM), then just set the expiration interval for your entries to 24 hours. This way you would have the following scenario:

1. Successful Login event from user1 from country1 - add it to Active List and set expiration period for 24 hours (here you need your first rule, to populate the Active List)

2. If within those 24 hours you get another Login event from user1 but from country2, then trigger your alert - here you need a second rule that continuously looks for Login events, and when it gets one it compares the values from the Login event to the values from the Active List

3. If within those 24 hours you get another Login event from user1 but from country1, then just update the "Last Modified Time" field - this should be done automatically by the rule adding Login information to your Active List (the same rule you would use for point 1); so nothing more to do here

4. If within 24 hours nothing relevant happens, then the entry will be deleted and the process will start all over again with the first new Login of user1

I hope I understood your scenario correctly; if so, I think the solution above should work.

All the best,

Stefan

View solution in original post

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Rule to read from ActiveList

Jump to solution

Hi Stefan,

I got your point, interesting thought

But still couldn't apply it, i'm not able to understand, how i can mach if specific field in the event matches a specific entry in an active list. Tried several scenarios with no luck, i'm not sure what's missing.

Could you give me an example.

Mustapha
0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Rule to read from ActiveList

Jump to solution

Hello Mustapha,

Let me give you a short example I have in my demo environment:

1. I have a rule that checks for authentication events for some test users. When I have a hit, I add the usernames to the following Active List, which has the "User Account" field as key field:

al.jpg

2. I have my second rule which retrieves the values from the Active List above, and compares them to values in my current events. In the "Local Variables" tab, just add a new variable (in my case User_Name_AL) and choose Function -> List -> GetActiveListValue and of course, select your correspondent Active List; after that you will see something like the picture below.

In the "Field" field below where you can see "User_Name_Rule", you should fill in with real fields from your current events - like Target User Name in this situation. I am using this extra step with a second local variable because I needed to transform everything to uppercase. "User Account" from the "Name" field in the configuration below is your entry from the Active List above, the key field.

getALvalue.jpg

The conditions in my situation for this second rule are very basic, since I am only looking for authentication events - but from users that have already been authenticated before and are in the Active List! And I am doing that only by comparing the "Target User Name" in my current event (which in the picture below is represented by the local variable "User_Name_Rule" mentioned above for having it in upper case) with the value of the corresponding field from the Active List:

rule.jpg

Basically the important thing to remember here is that you can define a Local Variable (in my case above "User_Name_AL") through which you can access each field in your Active List, and generate conditions based on those fields. In your case you would have to check that the Target User Name is in your list and whether or not the Country from your list also matches the Country from your event - and make your decision based on that.

Actually, my scenario above is doing pretty much the same thing as in your situation, only a bit less complex:

-> Search for authentication events and add authenticated users to Active List (first rule, not pictured above)

-> Subsequent authentication events will be processed through the second rule (described above); the rule will check whether or not that specific user name was already authenticated before by checking specific field from the Active List entries

Do let me know whether or not this is clear. If there is still something not working for you, also let me know.

Good luck,

Stefan

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Rule to read from ActiveList

Jump to solution

Hi Stefan,

Your suggestion is exactly what i thought about after reading the user Console guide page 495 "Example: Using Active Lists to Correlate Users", and I found what i was missing in my logic, but still stuck. Even your suggestion is logical, but here's what I have now, and what i'm facing:

1. Active list "User Logins", Expire in 24 hours.

2. Rule 1: Check for Login Events, and populate the Active List with the following info, 3 fields should be Key Fields:

Target Username (Key), Attacker address (Key), Attacker Country (Key), Creation Time, Last Modified Time, Count


3. Rule 2: Check for Login Events, using same filter as Rule 1 + there's a local variable "getActiveListValue".

This variable will match all rows in the Active List matching the key fields


Now consider there's a new login from a new country, then this will not be fetched by the local variable, since this is a new IP and Country but same username, but all of these are key fields, so the variable will fetch nothing, so i can't compare!


What do you think?


Mustapha
0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Rule to read from ActiveList

Jump to solution

I have another thought:

1. Active List 1 "User Logins", Expire in 24 hours.

Target Username (Key), Attacker address (Key), Attacker Country (Key), Creation Time, Last Modified Time, Count

2. Active List 2 "User Logins 2", Expire in 24 hours.

Target Username (Key), Attacker address, Attacker Country, Creation Time, Last Modified Time, Count

2. Rule 1: Check for Login Events, and populate the two Active Lists.

3. Rule 2: Check for Login Events, using same filter as Rule 1 + local variable "getActiveListValue".

This variable will match all rows in the "Active List 2" matching the key field Target Username, if the country is different, then i will raise the alert.

But which rule will work first? Rule 1 or Rule 2 !! cause this might not work as expected. I read about Scheduling Rules, but i'm not sure if this works on my ESM, it's 5.x version, I will check and get back to you.

Let me know your thoughts team.

Mustapha
0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Rule to read from ActiveList

Jump to solution

Hello Mustapha,

Just a quick thought since I can't actually check myself in my environment right now, but I understood your issue - do you really need to have "Country" as a Key Field in your Active List? Can't you just use it as a normal field?

If I am not omitting something, the only key field you would need should be your Target Username - that is what you are looking for. After that you also check the Country, but I would not configure it as a Key Field (of course, if I am not missing something due to the fact that I can't check that right now).

All the best,

Stefan

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Rule to read from ActiveList

Jump to solution

Hey Mustapha,
There has to be a very simple solution, which is based on a two rules.

1. First rule is a lightweight rule which is populating session active list. Key field is targetUsername, another field is attackerGeoCountryName. No other fields please. Please be aware that to make this possible you also have to use Fields-based AL, not Event-based.

2. Second rule is our notification rule. Prepare the local variable with getting info from the active list. The conditions are:
     2.1) UserName is in Active List (activelist with sessions). Here we are checking that user has already been logged on from some country.
     2.2) GetSessionALCountryName != attackerGeoCountryName (localvariable). Here we are checking that current country that is populated in the incoming event is different from the country that was previously been written in the AL.

Your AL TTL value must be 24h. Thats gonna do the trick.


Please mark this post as corrent if it was helpful.

Regards.

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Rule to read from ActiveList

Jump to solution

Hi Stefan,

Yes, the country and IP should be Key fields, since each time a new login should be populated, with these info. If the country and target are not key fields, then the Active List info will be filled on top of each other, with the count increasing.

Example:

First Login in: User 1 - IP A - Country A

Second Login: User 1 - IP B - Country B

The resulting Active List will be one entry for user 1

"User1 - IP B - Country B"

I have validated this through testing.

Mustapha
0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Rule to read from ActiveList

Jump to solution

Hello Mustapha,

You are right, that is how it will behave. However, if you check all necessary conditions within the rules (adding a third rule), you should be able to make it work.

Updated rules idea with an Active List having User Name as key field and Country as non-key field:

First rule:

-> You search for Authentication Events

-> You check if your User is already in the Active List

-> If the User is not in the Active List, you add him to the list with the corresponding Country

Second rule:

-> You search for Authentication Events

-> You check if your User is already in the Active List

-> If the User is in the Active List and the Country is the same, you add the user again to the Active List (so you overwrite the entry from the First Rule)

Third rule:

-> You search for Authentication Events

-> You check if your User is already in the Active List

-> If the user is in the Active List and the Country is not the same, you raise the alert and do whatever you consider fit - overwrite the entry from the First Rule, delete the entry from the First Rule or delete the entry from the First Rule and add the new entry (User Name with new Country)

The three rules above should never get triggered two at the same time - so for each Authentication event, only one of the three Rules above should get triggered, covering all the scenarios I can think of right now. It is like using IF/ELSE clauses .

Do let me know if I am wrong.

All the best,

Stefan

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Rule to read from ActiveList

Jump to solution

Thank you Stefan and Nikolay for your feedback on this. You were right all the time, I have create a confusion for nothing, it's as you first suggested Stefan, and clearly stated again by Nikolay.

The solution briefly stated below. The missing thought was in the key fields. Appreciate you help guys.

1. Active List "User Logins", Expire in 24 hours.

Target Username (Key), Attacker address, Attacker Country, Creation Time, Last Modified Time, Count

2. Rule 1: Check for Login Events, and populate the Active Lists.

3. Rule 2: Check for Login Events, using same filter as Rule 1 + local variable "getActiveListValue".

This variable will match all rows in the Active List matching the key field Target Username, if the country is different, then i will raise the alert.

Thanks again.

Mustapha
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.