• State Verified Answer
  • Replies 4 replies
  • Subscribers 14 subscribers
  • Views 3014 views
  • Users 0 members are here
Options
Related

Trying to pull a username from a description.

brian jiran
over 3 years ago

I am new to InTust and I am trying to setup a rule that sends an alert when someone fails to logon for either a bad password or a bad username. The issue is that the logs come in entirely under insertion string 1 and Event ID 0. I have used the 3 parameters thus far. Threshold for the 3 attempts, Time Period, and Keys to define the failed logon message within the field. I need it to now read the username written in that same field. If someone could help me out I would greatly appreciate it. Thank you!

Parents Reply Children
  • +1 over 3 years ago in reply to brian jiran

    And the whole rule with threshold might look as follows. The only thing that is not good - this REL language cannot return the whole list of user names, the list is not accessible from outside. So, you can only see the last User who triggered the rule, the User Name is accessible by %UserName%.

    <?xml version="1.0"?>
    <rule type="REL" version="1.0">
    <arguments>
    <argument displayname="Time period" name="Time period" description="Time period in which the events occurred." class="DateTimeRange">
    <value>"0/00/0 01:00:00"</value>
    </argument>
    <argument displayname="Threshold" name="Threshold" description="Events threshold. The rule will match if the number of events exceeds the threshold." class="Number">
    <value>3</value>
    </argument>
    <argument displayname="Keys" name="Keys" class="List" description="A list of key phrases to search in the Insertion String 1.">
    <value>"*AFTRAK: Access Denied. This user is inactive.*","*AFTRAK: Access Denied. This user account does not exist.*"</value>
    </argument>
    <argument displayname="User Name Regexp" name="Key" class="Text" description="A regular expression for the user name to search in the Insertion String 1.">
    <value>".*Access Denied.*User Account: (.*)"</value>
    </argument>
    </arguments>
    <prefilter>
    EventID = 0;
    </prefilter>
    <body>
    EventID = 0

    and in(String1, "wi", array(<parameter name="Keys"/>))

    and count(select_filtered(
    EventID = 0 and in( String1, "wi", array(<parameter name="Keys"/>) ),
    Z.EventID = 0 and in( Z.String1, "wi", array(<parameter name="Keys"/>) ) and substr(String1, regexp(array(<parameter name="Key"/>), String1, "i")[1][0], regexp(array(<parameter name="Key"/>), String1, "i")[1][1]) != substr(Z.String1, regexp(array(<parameter name="Key"/>), Z.String1, "i")[1][0], regexp(array(<parameter name="Key"/>), Z.String1, "i")[1][1]),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    EventID = 0,
    <parameter name="Time period"></parameter> ))

    and set_alert_field("UserName", substr(String1, regexp(array(<parameter name="Key"/>), String1, "i")[1][0], regexp(array(<parameter name="Key"/>), String1, "i")[1][1]));
    </body>
    </rule>