Anonymous_User Absent Member.
Absent Member.
229 views

Simple correlation help needed


Hi,

I am trying to write a correlation rule that fires when same user
(InitiatorUserID) accesses to internet from two or more different
computers (SourceIP).

The rule I defined is as follows:

window((w.SourceIP != e.SourceIP),filter((e.EventName = "GET")), 120)
flow trigger(2,120,discriminator(e.InitiatorUserID))

But it fires always, i.e. when it fires the SourceIP's of the two events
are same.

What am I doing wrong?

Thanks.


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46481

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Simple correlation help needed


In the window operation the first boolean allows you to compare with the
events stored in the window and the set that matches the boolean, if
there is a match, forwards the current event to the trigger expression.
The second boolean expression determines if the current event is stored
in the window. In your case events with e.EventName = "GET" are getting
stored for 120 seconds in the window. Say you have a sequence of events
with the same InitiatorUserID, e.EventName = "GET" and the following
SourceIP sequence (a,b,b) this is what will happen.
1. With the window being empty SourceIP fails the boolean because there
is nothing stored with IP a, the event with IP a is stored in the window
{a}.
2. SourceIP b passes the window with the result {a}, IP b makes it to
the trigger and is stored as 1 of 2, the event is stored in the window
{a,b}
3. SourceIP b passes the window again with the result {a}, IP b make it
to the trigger and fires with both events having IP b, the event is
stored in the window {a,b,b}

in Sentinel 5 the window operation didn't support compound booleans like

OR: window(e.dip=w.dip OR e.sip=w.sip, filter(e.sev>2),60)
AND: window(e.evt=w.evt AND e.sun=w.sun, filter(e.sev>2),60)
but did support an 'in' and 'not in' operator which worked as so:

window(w.SourceIP in e.SourceIP) ~ (w.SourceIP = e.SourceIP)!=null
window(w.SourceIP not in e.SourceIP) ~ (w.SourceIP = e.SourceIP)=null

if you could write window((w.SourceIP not in
e.SourceIP),filter((e.EventName = "GET")), 120) flow
trigger(2,120,discriminator(e.InitiatorUserID))
you would get:
1. With the window being empty SourceIP passes the boolean because there
is nothing stored with IP a, the event with IP a is stored in the window
{a}, the event make it to the trigger {a}.
2. SourceIP b passes the window because there is no b in the window, IP
b makes it to the trigger and fires {a,b}, the event is stored in the
window {a,b}
3. SourceIP b doesn't pass the window because it is in the window, the
event is stored in the window {a,b,b}

It would seem like this would implement a unique operator for
discriminator to group by the same InitiatorUserID but by unique
SourceIPs, but there is a limitation that once a SourceIP is in the
window it no longer allows events through with that IP and different
InitiatorUserIDs.

Your rule works if the sequence is bab or aba, starting with an empty
window, so it helps to describe what you are trying to do with the rule
and give details of the event sequence that is not working for you.


--
fpellegrino
------------------------------------------------------------------------
fpellegrino's Profile: https://forums.netiq.com/member.php?userid=1864
View this thread: https://forums.netiq.com/showthread.php?t=46481

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.