Skip to main content

Unable to understand where i am going wrong in this alert

  • January 9, 2024
  • 2 replies
  • 24 views
rahul7514
Forum|alt.badge.img+10

Hi 

I am trying to build an alert 

"detects an abnormally large number of endpoint changes per user account, as they relate to reboots, check , file system, user, and registry changes."

What i am trying to achieve is on a particular time for same user on the same machine there should more than 1 of the event type . However my below query is not triggering this detection. Can you suggest where i am going wrong ? Also is there a SLACK channel where we can get interact for such doubts ?


Query i created is this 
 

 

 

rule Multiple_endpoint_changes { meta: author = "Rahul" description = "It detects an abnormally large number of endpoint changes per user account, as they relate to reboots, checks, file system, user, and registry changes." severity = "Medium" events: ( $e.metadata.event_type = "FILE_MODIFICATION" or $e.metadata.event_type = "USER_LOGIN" or $e.metadata.event_type = "USER_CHANGE_PERMISSIONS" or $e.metadata.event_type = "REGISTRY_MODIFICATION" or $e.metadata.event_type = "SERVICE_MODIFICATION" or $e.metadata.event_type = "SYSTEM_AUDIT_LOG_WIPE" ) $e.principal.hostname = "michael-bolton-pc" $e.principal.user.userid = "michael" $e.principal.hostname = $hostname $e.principal.user.userid = $userid $e.metadata.event_type = $event_type match: $hostname,$userid over 15m condition: #event_type > 1 }​

 

 

Ray_a

2 replies

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • January 9, 2024

I don't believe this is an issue here, but I will mention that the hostname, user and process columns at the top of the column list are the principal fields, and I always tend to grab the specific named udm fields to ensure that I am looking at the correct field, principal v target v src or whatever. Again, having looked at the principal field in the UDM viewer, I don't believe that is the issue.

I ran your rule in my environment (I have 5 of the 7 event types) and the rule as written tested out as expected and returned results, so I am not really sure what to tell you. Sometimes the value you really want is in the target and not the principal but that does not appear to be the case here. Are you getting an error when you test your rule within the timeframe of the search you are showing at the top of the screen or just not getting any results?

From a troubleshooting perspective, I'd make sure my test is running within the same window of my search that I used. If my event criteria, basically the event types, all return in search, then I'd look at conditions and matches.

If you change your condition from #event_type>1 to $e, do you get grouped events by hostname and userid as expected?

What about if you remove the userid or hostname from the match, do you get hits then?

Also have you taken the named user and hostname out to widen your net a bit further and see if you get anything?

Ray_a
AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • January 12, 2024

Hi Rahul,

I think the main reason you are not expecting the results you are looking for is because it appears for the 2x events "USER_LOGIN" and "FILE_MODIFICATION", the UDM field is not present in the USER_LOGIN event


Therefore, attempts to match on that will fail, unless if the events you are matching for contain the same value in the same UDM Field.

The alternative is to match on the principal.hostname, if this is suitable for your use-case, if all of the different event types you are matching for parse the data you want to match on to this field.

 

Alternatively, segregating the events and what they match on depending on the event will work. Lets say for example you know that for USER_LOGIN event types, the "principal.user.userid" (which gets parsed correctly in FILE_MODIFICATION events) gets parsed to "target.user.userid", then to utilise this.

Solution #1 - Matching on Principal.hostname (present in both events - this has not been tested for all of the event types listed in the rule logic)

rule test_for_rahul7514 { meta: author = "Ayman C" description = "Test for Rahul7514" events: $e.principal.hostname = $hostname $e.principal.user.userid = $userid $e.metadata.event_type = $event_type $hostname = "michael-bolton-pc" $event_type = "FILE_MODIFICATION" or $event_type = "USER_LOGIN" or $event_type = "USER_CHANGE_PERMISSIONS" or $event_type = "REGISTRY_MODIFICATION" or $event_type = "SERVICE_MODIFICATION" or $event_type = "SYSTEM_AUDIT_LOG_WIPE" match: $hostname over 15m outcome: $EventCount = count($event_type) condition: $e and $EventCount > 1 }


Solution #2 - Segregating Event Types value mapping:

rule test_for_rahul7514 { meta: author = "Ayman C" description = "Test for Rahul7514" events: $e.principal.hostname = $hostname $e.metadata.event_type = $event_type $hostname = "michael-bolton-pc" ( $e.target.user.userid = "michael" and $event_type = "USER_LOGIN" ) or ( $e.principal.user.userid = "michael" and $event_type = "FILE_MODIFICATION" ) match: $hostname, over 15m outcome: $EventCount = count($event_type) condition: $e and $EventCount > 1 }

It's important to note, it is matching on Hostname, not the userid for both solutions - which is present in both event types.


Ray_a
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.