8 Replies Latest reply on Aug 28, 2017 11:16 PM by itgfcsys

    Correlation rules and regex/contains filter options

    robert_dearbytes

      A very simple question but having a hard time to find the answer. Can a correlation rule -> match component contain regex or contains() filters to trigger on a part of a value?

       

      example: contains(admin) for a source user.

       

      If not, are there any other ways to trigger on a part of a value in a correlation rule?

        • 1. Re: Correlation rules and regex/contains filter options
          robert_dearbytes

          Looks like that contains and regex are limited to "random string" fields. "string" fields (like source user) do not have the option for regex/contains. Is there stilla way to filter on a specific value for a source user or any other string field?

          • 2. Re: Correlation rules and regex/contains filter options
            alexander_h

            Hi Robert,

             

            I'm doing something similar with Dynamic watchlists,

            You can use some ESM strings to match.

            For example if you specify only "(adm\w{2})" it will return results for all accounts encountered in events containing that string(seems like it works with Regex).

             

            Let me know how it goes

            • 3. Re: Correlation rules and regex/contains filter options
              alexander_h
              SourceTypeSelect the type of source the search should run against. The remaining fields on the page will vary based on the type you select. Most of them are self-explanatory.

              If you select ESM Strings, it searches the StringMap table, which contains strings found in events. If you select ESM Rule Names, it searches the rule messages from the Rule table, which contains a short description of the rule. When you select these types, enter the regular expression or string search criteria in theSearch field. Searches are case sensitive by default. To perform a case-insensitive search, surround your search string or regular expression with forward slashes followed by i, such as /Exploit/i.

              • 4. Re: Correlation rules and regex/contains filter options
                robert_dearbytes

                Hi Alexander,

                 

                hmmm... I'll give it a shot tomorrow and see what comes out

                 

                I'll post the results.

                • 5. Re: Correlation rules and regex/contains filter options
                  robert_dearbytes

                  Okay, so I can't input ESM strings into "string" fields in correlation rules. Well... I can but it won't work But using Dynamic watchlists and esm strings you can get the same results and then use the watchlist or lists in the correlation rule. Tried it and works.

                   

                  So when you have a corerlation rule and need to trigger on a part of a value:

                  - if the field is of the type "random string" you can select contains or regex and then type the value/string on what needs to be triggered.

                  - if the field is of the type "string" you will need to create a dynamic watchlist ith source "esm strings" the fields (types) that you can choose on the last tab are of the type "string"

                   

                  Thanks for the help Alexander! You pushed me in the right direction!

                  • 6. Re: Correlation rules and regex/contains filter options
                    alexander_h

                    It's good experience for all of us

                    • 7. Re: Correlation rules and regex/contains filter options
                      r_gine

                      I know I'm a couple of years late but I'm still running into a similar issue....

                       

                      We monitor for Windows Security Groups that outside of a group of users authorized to create domain groups in our environment. We do not want to alert when the group created starts with 'sd -' (for software distribution groups)

                       

                       

                       

                      So our rule is:

                       

                       

                      Signature ID (in) 43-263047540, 43-263047270,43-263047310

                      Source User (not in) [group of users authorized to make security groups]

                      Object (not in) [regex(SD|sd).*]

                       

                       

                       

                      Unfortunately this is not working.

                       

                       

                       

                      'Object' is a 'String' data type.  I'm having a hard time wrapping my head around building a dynamic watchlist for this.

                       

                       

                      Thanks for any help/suggestions!

                       

                       

                       

                      -Ryan

                      • 8. Re: Correlation rules and regex/contains filter options
                        itgfcsys

                        Noted in a previous post:

                        when you have a corerlation rule and need to trigger on a part of a value:

                        - if the field is of the type "random string" you can select contains or regex and then type the value/string on what needs to be triggered.

                        - if the field is of the type "string" you will need to create a dynamic watchlist ith source "esm strings" the fields (types) that you can choose on the last tab are of the type "string"