well....first off your missing a condition statement at the bottom from what you pasted here.
And, if you could please share what you are seeing vs. what you are expecting to see that would be very helpful in moving this along. Thank you!
well....first off your missing a condition statement at the bottom from what you pasted here.
And, if you could please share what you are seeing vs. what you are expecting to see that would be very helpful in moving this along. Thank you!
Thanks for the quick reply @dnehoda !
Regarding the condition statement, I omitted it intentionally, since I don't have any problems with that part.
Here are the results I see, after adding "principal.ip_geo_artifact.location.country_or_region:$country" to the metrics function (taken from the public Chronicle demo lab):
How do I need to interpret this? I can see that "mark.taylor/United States" combo is 0, both for daily and monthly, meaning that it did not occur a single time, but obviously it happened at least once since it shows up in the detections. When searching this combination manually, there are many results for the past month. I'm probably misunderstanding something, I just don't know why the results show 0 when there clearly are results.
I'll mention again, that my goal is to alert when a combination of a user/country is seen for the first time in the past 30 days.
Thanks!
Thanks for the quick reply @dnehoda !
Regarding the condition statement, I omitted it intentionally, since I don't have any problems with that part.
Here are the results I see, after adding "principal.ip_geo_artifact.location.country_or_region:$country" to the metrics function (taken from the public Chronicle demo lab):
How do I need to interpret this? I can see that "mark.taylor/United States" combo is 0, both for daily and monthly, meaning that it did not occur a single time, but obviously it happened at least once since it shows up in the detections. When searching this combination manually, there are many results for the past month. I'm probably misunderstanding something, I just don't know why the results show 0 when there clearly are results.
I'll mention again, that my goal is to alert when a combination of a user/country is seen for the first time in the past 30 days.
Thanks!
Hi @Koifman,
This could potentially be likely, as you are using the follow metric 'metrics.auth_attempts_success' which identifies USER_LOGIN event types, of which the security_result.action is 'ALLOW', it is likely that in the photo the events that are displaying '0' but are repeated, are because they are USER_LOGINS, however the security_result.action is not 'ALLOW'.
Within the same test instance, changing the metric to '
metrics.auth_attempts_total', we can see data for the results you've showed which are reporting as '0' (focusing on the 'FIRST_SEEN_MONTHLY')
rule UEBA_TEST {
meta:
author = "Ayman C"
events:
$selection.metadata.vendor_name = "Okta"
$selection.metadata.event_type = "USER_LOGIN"
$userid = $selection.target.user.userid
$country = $selection.principal.ip_geo_artifact.location.country_or_region
$userid = /lisa.cooper|mark.taylor/
match:
$userid, $country over 1d
outcome:
$first_seen_today = max(metrics.auth_attempts_total(
period:1h, window:today, metric:first_seen, agg:max,
target.user.userid:$userid))
$first_seen_monthly = max(metrics.auth_attempts_total(
period:1d, window:30d, metric:first_seen, agg:max,
target.user.userid:$userid))
condition:
$selection
}
I hope that helps and solves the issue you're seeing
Kind Regards,
Ayman
Hi @Koifman,
This could potentially be likely, as you are using the follow metric 'metrics.auth_attempts_success' which identifies USER_LOGIN event types, of which the security_result.action is 'ALLOW', it is likely that in the photo the events that are displaying '0' but are repeated, are because they are USER_LOGINS, however the security_result.action is not 'ALLOW'.
Within the same test instance, changing the metric to '
metrics.auth_attempts_total', we can see data for the results you've showed which are reporting as '0' (focusing on the 'FIRST_SEEN_MONTHLY')
rule UEBA_TEST {
meta:
author = "Ayman C"
events:
$selection.metadata.vendor_name = "Okta"
$selection.metadata.event_type = "USER_LOGIN"
$userid = $selection.target.user.userid
$country = $selection.principal.ip_geo_artifact.location.country_or_region
$userid = /lisa.cooper|mark.taylor/
match:
$userid, $country over 1d
outcome:
$first_seen_today = max(metrics.auth_attempts_total(
period:1h, window:today, metric:first_seen, agg:max,
target.user.userid:$userid))
$first_seen_monthly = max(metrics.auth_attempts_total(
period:1d, window:30d, metric:first_seen, agg:max,
target.user.userid:$userid))
condition:
$selection
}
I hope that helps and solves the issue you're seeing
Kind Regards,
Ayman
Hey @AymanC thanks for the reply!
I don't think this matters too much, since before your suggestion I was using
$selection.security_result.detection_fields["legacyEventType"] = "core.user_auth.login_success"
which also refers to events that are successful logins. Switching between using it and not using it (like you did with your query) does return the same amount of results - 21 for the past 7 days.
The more interesting question in my opinion, is the difference between:
$first_seen_monthly = max(metrics.auth_attempts_success(
period:1d, window:30d, metric:first_seen, agg:max,
target.user.userid:$userid))
and between:
$first_seen_monthly = max(metrics.auth_attempts_success(
period:1d, window:30d, metric:first_seen, agg:max,
target.user.userid:$userid,
principal.ip_geo_artifact.location.country_or_region:$country))
and why, when using the 2nd version, I am getting weird results where the monthly value is 0, even though we know for certain that 0 doesn't make sense.
If I understand correctly, using just $userid in the metrics, will only check the user against the user/country combination obtained from the "match" section, so the check will not consider the country. For example, if the "match" section obtained "mark.taylor" / "United States", and the metrics check for the past 30 days sees "mark.taylor" / "NewCountry", the value will NOT be 0 like I want, since "mark.taylor" is the only value being checked - I hope I am able to explain it correctly.
