This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Applying logic from sensitive logons built-in rule to a rule using a different datasource

Hello,

The sensitive logons rule uses the security log and as I have experienced and see in other posts here that you have to do some crazy fine tuning.  Well, I've fine tuned it, and results are always inconsistent and generates a lot of false positives.

There is another datasource, Intrust User Session Tracking, which I have very successfully recording all logon events (103, which is basically the summary of a session).  Unfortunately, I want to compare the username to the workstation name so it only alerts on anomalous connections like it should work in the sensitive logons rule.

I've looked at the xml on both my rule and the sensitive logons rule, but as I'm not a coder, I can't make heads or tails.  Also I assume the inputs from the different datasources would make a huge difference in what fields need to be called.  A colleague of mine who's a developer was wondering if an instring comparison could be made between the username and the computer name.

Anyone have any thoughts on this?

Thanks!

Parents
  • Hi abronowitz,

    First of all, it is not clear to me which pre-defined rule you call sensitive logon, please clarify if you will not be happy with the following solution. InTrust User Session Tracking summary event is not 103, but 100. 103 is "ending by lock" event, but there is a number of other ending events. So, the following solution will be based on event 100. The default language for InTrust rules is so called "REL", and its functions are described here https://support.quest.com/technical-documents/intrust/11.3.2/customization-kit/7 . The rule should have a certain structure, and it is pre-created for you when you click "create new custom rule". The rule will be quite simple:

    <rule type="REL" version="1.0">
    <arguments>
    </arguments>
    <prefilter>
    </prefilter>
    <body>
    (EventID = 100)
    and not empty( regexp( "InTrust User Session Tracking",_DataSourceName,"i" ) )
    and (strstr( strlwr(String3),strlwr(String1)) != -1);
    </body>
    </rule>

    Here we use two types of comparison, "regular expression" and "string contains another string". _DataSourceName is the internal representation of the log name, "i" is case insensitive, strstr returns the position of the first encounter of expr2 in expr1. If expr1 does not contain expr2–1 is returned. BTW, regexp is not mandatory here, it may be changed to strstr. As far as I understand you want to check if computer name contains user name. String3 of event 100 represents computer name where event occurs, String1 represents user name (without Domain). All three conditions are combined by and. If this is not the logic you expect, let's change the conditions accordingly.

    For your convenience I will attach the rule in xml form, ready for importing to the configuration by means of InTrustPDOImport tool which can be found in InTrust installation folder or on DVD.

    20180822_aUserSessionTookPlace.zip

  • Hello Igor.Ilyin!

    Thank you for replying despite my obvious ignorance to how InTrust works.  I inherited InTrust after it had already been configured.  I was under the impression that the "Sensitive Logons" Group was built in.  Under that group, I have "Logon by non primary user" which looks at the security log and looks for different pieces of data in event IDs 528, 540 and 4624.  If you're unfamiliar with this, I could provide the XML if you're interested.

    I will change to Event ID 100, and try out the rule you have provided me.  Thank you very much for the resources.  I'll let you know if it works as expected.

    Alan

Reply
  • Hello Igor.Ilyin!

    Thank you for replying despite my obvious ignorance to how InTrust works.  I inherited InTrust after it had already been configured.  I was under the impression that the "Sensitive Logons" Group was built in.  Under that group, I have "Logon by non primary user" which looks at the security log and looks for different pieces of data in event IDs 528, 540 and 4624.  If you're unfamiliar with this, I could provide the XML if you're interested.

    I will change to Event ID 100, and try out the rule you have provided me.  Thank you very much for the resources.  I'll let you know if it works as expected.

    Alan

Children
No Data