5 Replies Latest reply on Jan 29, 2015 8:42 AM by ryan.fitzpatrick

    Disabled user login attempt

    nirhalfon

      Hey,

      When trying to create a very basic correlation rule that just catch an disabled user login attempt: (windows event id: 531).

      The correlation is catching computers account aswaell, with the difference of dollar sign $ in the end.

       

      I want to filter out the dollar sign, so this rule will be only for users.

      The issue is that, I dont see any option to do it in ESM.

       

      There is not such option to set filter based on: user name NOT LIKE %% unlike other SIEM products i know...

       


        • 1. Re: Disabled user login attempt
          Scott Taschler

          The best way to handle this kind of a use case is to create a Dynamic Watchlist that includes all the computer accounts, and then use the watchlist to filter these accounts out of your correlation rule.  Try this as a regex in the Dynamic Watchlist:

           

          ^[a-z]\S+\x{24}.+$

           

          Below you'll see a screenshot of the watchlist configuration:

           

          watchlist.jpg

           

           

          Scott

           

          • 2. Re: Disabled user login attempt
            rth67

            Depending on how large your environment is, and what version of software you are running, you may have to break up your watchlist in to multiple watchlists.

            Watchlist maximum values are 9.1.x (10,000); 9.2.x (25,000), 9.3.x (1,000,000)

            • 3. Re: Disabled user login attempt
              ciffus

              In practice, you'll want to use ^[a-zA-Z]\S+\x{24}.+$ as the regex is case sensitive.

              We found this out the hard way.

              But your post was a GREAT way to start, Scott. Keep up the good work!

              • 4. Re: Disabled user login attempt
                curesec

                For our environment the regex ^\s?[\w]*+\$\s worked best.

                 

                • ^ assert position at start of the string
                • \s? match any white space character [\r\n\t\f ]
                  • Quantifier: ? Between zero and one time, as many times as possible, giving back as needed [greedy]
                • [\w]*+ match a single character present in the list below
                  • Quantifier: *+ Between zero and unlimited times, as many times as possible, without giving back [possessive]
                  • \w match any word character [a-zA-Z0-9_]
                • \$ matches the character $ literally
                • \s match any white space character [\r\n\t\f ]
                • 5. Re: Disabled user login attempt
                  ryan.fitzpatrick

                  Some other tidbits too when tuning rules;

                   

                  Create a watchlist that will be used for tuning out certain fields
                  Whitelisted user <Rule Name>
                  Whitelisted source IP <Rule Name>

                  Whitelisted destination IP <Rule Name>

                  etc, depending on what type of correlation rule you are using.

                   

                  Then, filter your search results for the rule you are looking to tune.
                  Then using the event drill down, do a drill down based on the field you are wanting to filter. In this particular case, pancake menu > drill down > Application > Source User


                  This will now show you an event count by source user, and you can start adding these to your watchlist you will use to filter the results.

                   

                  Select multiple names that are showing up that you want to whitelist and go to the pancake menu > actions > append to watchlist

                   

                  This will show you the values you selected, and lets you place them in the watchlist you will be using for whitelisting.

                   

                  After you have created your watchlist, go to the correlation rule you are tuning, and add an entry to your filter where source user NOT IN Whitelisted User <Rule Name>

                   

                  By performing it this way you take a more manual approach, however, you have less likelihood at blowing up your ESM from having a correlation rule looking against 100,000+ entries it can find for system accounts, and also, you can set your correlation rule for logon_type IN 2 - Interactive, 10 - RemoteInteractive and look for logons specific to RDP connections and console logons instead of kerberos network logons from systems.

                   

                  Thank you, and hope it helps.