Skip to main content

So I have a code for Lateral Movement


rule Lateral_Mov {

  meta:
    author = "Anurag Singh"
    description = "Vertical Lateral Movement"
    severity = "Medium"

events:
    $e1.metadata.vendor_name = "Microsoft"
    $e1.metadata.product_event_type = "4625" // Failed Logon
    $e1.principal.hostname = $hostname
    $e1.target.user.userid = $user
   
    $e2.metadata.event_timestamp.seconds > $e1.metadata.event_timestamp.seconds

    $e2.metadata.vendor_name = "Microsoft"
    $e2.metadata.product_event_type = "4624" // Successful Logon
    $e2.principal.hostname = $hostname
    $e2.target.user.userid = $user


    $e3.metadata.event_timestamp.seconds > $e2.metadata.event_timestamp.seconds

    $e3.metadata.vendor_name = "Microsoft"
    $e3.metadata.product_event_type = "4720" // New Account Creation
    $e3.principal.hostname = $hostname
    $e3.principal.user.userid = $user

    $e4.metadata.event_timestamp.seconds > $e3.metadata.event_timestamp.seconds

    $e4.metadata.vendor_name = "Microsoft"
    $e4.metadata.product_event_type = "4672" // Privilege Escalation
    $e4.principal.hostname = $hostname
    $e4.principal.user.userid = $user


  match:
    $hostname, $user over 1h

  outcome:
    $risk_score = 50

  condition:
    #e1 > 3 and $e2 and $e3 OR $e4
   
}



what I want over here is that there should be an OR between e3 and e4
Like if there is New Account Creation or privelege escalation (any one or both) this use case should trigger. 


But it's showing an error that 
validating intermediate representation: invalid use of OR. Multiple events should not be joined with OR

How to do this?
Can anyone help?



@jstoner 

can you check

hi @anurag.q.singh,

How about using the $e3 condition, to choose either event type 4720 or 4672, like below?

 

rule Lateral_Mov {

meta:
author = "Anurag Singh"
description = "Vertical Lateral Movement"
severity = "Medium"

events:
$e1.metadata.vendor_name = "Microsoft"
$e1.metadata.product_event_type = "4625" // Failed Logon
$e1.principal.hostname = $hostname
$e1.target.user.userid = $user

$e2.metadata.event_timestamp.seconds > $e1.metadata.event_timestamp.seconds

$e2.metadata.vendor_name = "Microsoft"
$e2.metadata.product_event_type = "4624" // Successful Logon
$e2.principal.hostname = $hostname
$e2.target.user.userid = $user


$e3.metadata.event_timestamp.seconds > $e2.metadata.event_timestamp.seconds

$e3.metadata.vendor_name = "Microsoft"
($e3.metadata.product_event_type = "4720" or $e3.metadata.product_event_type = "4672") // New Account Creation
$e3.principal.hostname = $hostname
$e3.principal.user.userid = $user


match:
$hostname, $user over 1h

outcome:
$risk_score = 50

$LateralMovementProcess = array_distinct(strings.concat("The following host '", $hostname, "' logged in by the user '", $user, "' performed Lateral Movement via an initial 'Failed Logon', followed by a 'Successful Logon' and then a '", if($e3.metadata.product_event_type = "4720", "New Account Creation", "Privillege Escalation")))
condition:
#e1 > 3 and $e2 and $e3
}

 





Kind Regards,


Ayman Charkaui

OR is not a supported operator in condition at this time.


My initial thought would be to try something like the following


-Eliminate the e3/e4 time bit since you are just looking for one or the other.


-Change the e3/e4 syntax to be something like this 


    $e3.metadata.vendor_name = "Microsoft"
    ($e3.metadata.product_event_type = "4720" // New Account Creation or
$e3.metadata.product_event_type = "4672" // Privilege Escalation)
    $e3.principal.hostname = $hostname
    $e3.principal.user.userid = $user

And then you can use a condition of  


#e1 > 3 and $e2 and $e3


Again, you will likely need to tune it and tweak a bit but hopefully that helps get you in the right direction

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.