In the documentation it seems that the arrays.contains function can be used like the following,
arrays.contains($asset_id_list, "id_1234")
Is it possible to use the function with two variables so I can compare the list with a value in a UDM field?
The following code snippet shows a possible use case for this scenario:
rule Example_rule_for_arrays {
meta:
author = "amalone"
description = "Look for a spike in failed logins for a User account followed by a successful login from an IP address associated with a fail"
severity = "Low"
events:
$fail.metadata.event_type = "USER_LOGIN"
$fail.security_result.summary = /Failed/ nocase
$fail.target.user.userid = $user
$success.metadata.event_type = "USER_LOGIN"
$success.security_result.summary = /Success/ nocase
$success.target.user.userid = $user
$fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds
match:
$user over 2d
outcome:
$Total_Fails = count($fail.target.user.userid) // count of total failed logins
$Failed_login_IPs_Count = count_distinct($fail.principal.ip) // Number of IPs with a failed login to the User
$Failed_login_IPs_List = array_distinct($fail.principal.ip) // Unique list of IPs with a failed login for the user
$Success_login_IPs_Count = count_distinct($success.principal.ip) // Number of IPs with a Successful login to the User
$Success_login_IPs_List = array_distinct($success.principal.ip) // Unique list of IPs with a Successful login for the user
condition:
// Look for at least 30 fails over 2 days from more than 3 IP addresses.
// QUESTION: Is there a way to say "The value of $success.principal.ip exists inside of $Failed_login_IPs_List"
// note: I don't want to match off of the IP as well as that will cut down on the number of failed login logs
//
// Want to do something like arrays.contains($Failed_login_IPs_List, $success.principal.ip) in the condition
$fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30
}