frufru1 Absent Member.
Absent Member.
133 views

Compare physical presence vs. logins

Hi all,

could you please help me with rule(s), which will be able to catch logins (failed and successful) to active directory, but this person isn't in PC's location?

We have:

1) Active list with people, who are in buildings (populated by logs from card management system)

Active list has two event-base fields, Attacker User Name and Device Custom String (both are "key field")

Attacker User Name contains usernames (same as logins usernames)

Device Custom String1 contains physical location (for example Street 1, Street 23, Street 34 etc.)

We're using same Location names for Network ranges in Network model (172.10.10.0/25 is Street 1, 172.10.11.0/24 is Street 23, etc)

So, successful (or failed) login contains Attacker IP, Attacker hostname, Attacker Zone name (eg street 1), etc.

How can i compare this login event with my active list?

Expected results are:

- find logins, where Attacker Zone name != Device Custom String1 (from active list)

- find logins, if usernames aren't in Active list

I tried many, many rules, but i wasn't able to deal with it.

Do you have any suggestions or tips, how to do that?

Thanks

Martin

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.