Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)
I'm trying to make a rule that checks if the first or last name from the Source User Name exists in the Destinaion User Name, but unfortunately i cannot use neither "Contains" nor "In" with 2 fields, such as:
Destination User Name Contains LocalVariable1
Any advice on how to overcome this issue?
I'm using ArcSight 6.9.1
You can try something like this
Create six variables,
1. extracts the first name from the sourceusername
2. extracts the last name from the sourceusername
3. extracts the first name from the destinationusername
4. extracts the last name from the destinationusername
5. conditional variable that compares if the first names match
6. conditional variable that compares if the last names match
Group all of them to one global variable and use it as a filter or rule
See example below
Be sure to keep in mind that you have lower/upper case chars (you can use the toupper or tolower vars to handle that)
Thank you David for you prompt reply.
It's not clear how the comparison is made between the variables, would you please show me the condition that compares First or Last names? As the '=' operator already allows comparing 2 variables for an exact match.
But what i'm trying to do here is to check whether the first or last sourceUserNames are subsets or the destinationUserName, for example:
destinationUserName: firstname.lastname@example.org or email@example.com etc.
The aim of this rule is detecting similarities between the sender and the reciever E-Mails for monitoring data exfiltration.
I was able to extract the First and Last names from the sourceUserName (using basic methods as i'm not familiar with Regex), but trying to find a workaround the "Contains" operator.
I might have found another "basic" way of doing it, by using index_of function. I check to find the index of the source first/last names in the DestinationUserName, if the returned value is >=0, then the name is a substring, else -1.
index_of(GetSourceFirstName, DestinationUserName) >= 0
index_of(GetSourceLastName, DestinationUserName) >= 0
Would you suggest any further enhancement?
Your idea seems interesting as well. if it gets the job done than that's what matters 🙂
Regarding your question about conditional variables
This variable takes a runs against a condition and provides true or false options to be created on demand
Here are the conditional vars I used for this example
By the way in may be much more effective to do all of this via the connector and not the console since you can use in the parser the extractregextoken and conditional mappings