Solved: Issue with rule syntax

cbeighton21 · 12-12-2024 07:20 AM

Hi, I'm trying to combine a number of our failed login rules into one rule as we are nearing our detection rule capacity however I appear to be getting the following error regardless of what I try and change.

semantic analysis: match variable user is not assigned to an event field

I've tried using different variables, only working with the variable assigned to the target.user.userid udm field and a few other ideas but nothing seems to resolve the issue. Any suggestions would be much appreciated, I've added the rule syntax below for context.

events:

    ( // Panorama_Firewall_Excessive_Failed_User_Login_10mins
    $e.metadata.log_type = "PAN_FIREWALL" and
    $e.metadata.product_event_type = "SYSTEM - auth" and
    $e.metadata.vendor_name = "Palo Alto Networks" and
    $e.metadata.description = /failed authentication(.*|$)/ and
    $e.principal.user.userid = $user
    )

    or

    ( //Dell_IDRAC_Multiple_Failed_Login_10Mins
    $e.metadata.log_type = "IDRAC" and
    $e.additional.fields["message_id"] = "USR0031" and
    $e.metadata.description = $user and // use of metadata.description is temporary whilst waiting on tweaks to parser 
    )
    )

    or

    ( //Clearpass_Multiple_Logon_Failures_10_minutes
    $e.principal.user.userid = $user and
    $e.metadata.product_name = "ClearPass" and
    $e.metadata.product_event_type = "LOGIN FAILED"
    )

    or
    
    ( //ibm_multiple_password_failure_10m
    $e.additional.fields["PWUSRN"] = $user and
    $e.metadata.product_event_type = "PW" and
    $e.additional.fields["PWTYPE"] = "P"    
    )

    or
    ( //Azure_AD_Baseline_Multiple_Failed_MS_Security_Portal_Login_10mins
    $e.metadata.log_type = "AZURE_AD" and
    $e.metadata.event_type = "USER_LOGIN" and
    $e.target.application = /.*/ and
    $e.security_result.summary = "Failed login occurred" and
    $e.target.user.email_addresses = /.*onmicrosoft.com.*/ and
    $e.target.user.userid = $user and
    $e.additional.fields["failureReason"] != "The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
    and not $e.additional.fields["failureReason"] = "The session has expired or is invalid due to sign-in frequency checks by conditional access."
    and not $e.additional.fields["failureReason"] = "Application needs to enforce Intune protection policies."
    )

    or 

    ( //Azure_AD_Multiple_Failed_SSO_Login_10mins
    (
    $e.metadata.log_type = "AZURE_AD" and
    $e.metadata.event_type = "USER_LOGIN" and
    $e.security_result.summary = "Failed login occurred" and
    $e.security_result.rule_id = "50126" and
    $e.target.user.userid = $user
    )
    and 
    (
    $e.principal.ip_geo_artifact.location.country_or_region = "United Kingdom" or 
    $e.principal.ip_geo_artifact.location.country_or_region = "Netherlands"    
    )
    ) 

match:
    $user over 10m

condition:
    #e >= 10
}

jstoner

There are a few stray characters in the copy/paste above but after I removed them I saw your error message. I think the issue here is that inside of these different sets of criteria are the placeholder variables that would then be used in the match section. The problem is that you really can't have those placeholder variables in the (criteria 1 or criteria 2 or criteria 3) and rather it should sit outside of the criteria.

This can be problematic if one our your sets of criteria is keying on the principal.user.userid and the other is using target.user.userid. One way to address that would be to use something like the strings.coalesce which takes the first non null value in a list of fields and uses that. There is some tuning you will need to do but something like this is what I've got in mind and might work for you.

events:
( // Panorama_Firewall_Excessive_Failed_User_Login_10mins
$e.metadata.log_type = "PAN_FIREWALL" and
$e.metadata.product_event_type = "SYSTEM - auth" and
$e.metadata.vendor_name = "Palo Alto Networks" and
$e.metadata.description = /failed authentication(.*|$)/
)

or

( //Dell_IDRAC_Multiple_Failed_Login_10Mins
$e.metadata.log_type = "IDRAC" and
$e.additional.fields["message_id"] = "USR0031"
//$e.metadata.description = $user // use of metadata.description is temporary whilst waiting on tweaks to parser 
)

or

( //Clearpass_Multiple_Logon_Failures_10_minutes
$e.metadata.product_name = "ClearPass" and
$e.metadata.product_event_type = "LOGIN FAILED"
)

or

( //ibm_multiple_password_failure_10m
$e.metadata.product_event_type = "PW" and
$e.additional.fields["PWTYPE"] = "P"
)

or

( //Azure_AD_Baseline_Multiple_Failed_MS_Security_Portal_Login_10mins
$e.metadata.log_type = "AZURE_AD" and
$e.metadata.event_type = "USER_LOGIN" and
$e.target.application = /.*/ and
$e.security_result.summary = "Failed login occurred" and
$e.target.user.email_addresses = /.*onmicrosoft.com.*/ and
$e.additional.fields["failureReason"] != "The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
and not $e.additional.fields["failureReason"] = "The session has expired or is invalid due to sign-in frequency checks by conditional access."
and not $e.additional.fields["failureReason"] = "Application needs to enforce Intune protection policies."
)

or

( //Azure_AD_Multiple_Failed_SSO_Login_10mins
(
$e.metadata.log_type = "AZURE_AD" and
$e.metadata.event_type = "USER_LOGIN" and
$e.security_result.summary = "Failed login occurred" and
$e.security_result.rule_id = "50126"
)
and
(
$e.principal.ip_geo_artifact.location.country_or_region = "United Kingdom" or
$e.principal.ip_geo_artifact.location.country_or_region = "Netherlands"
)
)

$user = strings.coalesce($e.target.user.userid, $e.principal.user.userid, $e.additional.fields["PWUSRN"], $e.metadata.description )

match:
$user over 10m

condition:
 #e >= 10
}

View solution in original post

jstoner

There are a few stray characters in the copy/paste above but after I removed them I saw your error message. I think the issue here is that inside of these different sets of criteria are the placeholder variables that would then be used in the match section. The problem is that you really can't have those placeholder variables in the (criteria 1 or criteria 2 or criteria 3) and rather it should sit outside of the criteria.

This can be problematic if one our your sets of criteria is keying on the principal.user.userid and the other is using target.user.userid. One way to address that would be to use something like the strings.coalesce which takes the first non null value in a list of fields and uses that. There is some tuning you will need to do but something like this is what I've got in mind and might work for you.

events:
( // Panorama_Firewall_Excessive_Failed_User_Login_10mins
$e.metadata.log_type = "PAN_FIREWALL" and
$e.metadata.product_event_type = "SYSTEM - auth" and
$e.metadata.vendor_name = "Palo Alto Networks" and
$e.metadata.description = /failed authentication(.*|$)/
)

or

( //Dell_IDRAC_Multiple_Failed_Login_10Mins
$e.metadata.log_type = "IDRAC" and
$e.additional.fields["message_id"] = "USR0031"
//$e.metadata.description = $user // use of metadata.description is temporary whilst waiting on tweaks to parser 
)

or

( //Clearpass_Multiple_Logon_Failures_10_minutes
$e.metadata.product_name = "ClearPass" and
$e.metadata.product_event_type = "LOGIN FAILED"
)

or

( //ibm_multiple_password_failure_10m
$e.metadata.product_event_type = "PW" and
$e.additional.fields["PWTYPE"] = "P"
)

or

( //Azure_AD_Baseline_Multiple_Failed_MS_Security_Portal_Login_10mins
$e.metadata.log_type = "AZURE_AD" and
$e.metadata.event_type = "USER_LOGIN" and
$e.target.application = /.*/ and
$e.security_result.summary = "Failed login occurred" and
$e.target.user.email_addresses = /.*onmicrosoft.com.*/ and
$e.additional.fields["failureReason"] != "The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
and not $e.additional.fields["failureReason"] = "The session has expired or is invalid due to sign-in frequency checks by conditional access."
and not $e.additional.fields["failureReason"] = "Application needs to enforce Intune protection policies."
)

or

( //Azure_AD_Multiple_Failed_SSO_Login_10mins
(
$e.metadata.log_type = "AZURE_AD" and
$e.metadata.event_type = "USER_LOGIN" and
$e.security_result.summary = "Failed login occurred" and
$e.security_result.rule_id = "50126"
)
and
(
$e.principal.ip_geo_artifact.location.country_or_region = "United Kingdom" or
$e.principal.ip_geo_artifact.location.country_or_region = "Netherlands"
)
)

$user = strings.coalesce($e.target.user.userid, $e.principal.user.userid, $e.additional.fields["PWUSRN"], $e.metadata.description )

match:
$user over 10m

condition:
 #e >= 10
}

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Issue with rule syntax

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps