Hi team,
We are working on a session hijacking case on slack log source and focusing on series of event where $ip is more than or equal to 2 which seems to be working with current rule we have
We are looking for a starting point to filter out events
of only AWS IP events in $login1 event variable and non AWS IP events in $login2 set
and
then form a series of events [ which is currently being achieved by sliding window $login1.metadata.event_timestamp.seconds < $login2.metadata.event_timestamp.seconds ]
Can you someone help point us in this direction please?
===========
events:
$login1.network.session_id != ""
$login1.principal.user.email_addresses = $user
$login1.principal.ip_geo_artifact.network.carrier_name = "amazon"
$login1.principal.ip = $fip
$login2.principal.user.email_addresses = $user
$login2.principal.ip = $fip
$login2.principal.ip_geo_artifact.network.carrier_name != /amazon/
$login2.network.session_id != ""
$login1.metadata.event_timestamp.seconds < $login2.metadata.event_timestamp.seconds
match:
$user over 2h
outcome:
$ip= count_distinct($fip)
condition:
$login1 and $login2 and $ip >= 2
}
===========
Thank you!
