This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Using Regex Fields as Variable

Posted on 02-20-2024 11:04 AM
tayvionp
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Utilizing Chronicle's first seen and last seen feature to create somewhat of an anomaly-based detection. The detection should take when an event was first seen if seen at all, and if the alert has been seen after 14 days then we should be alerted. However, I have to utilize a regex to retrieve the username. This then needs to be pulled into the entity graph, which means I have to utilize a variable for this to happen. 

here's a copy of the logic I have so far

 

rule ripple_auth0_anomaly_ldap_vault_creds { 
  meta:
    author = "tpayton"
    description = "Detects anomalous issuance of vault credentials to ldap users."

  events:
    // Retrieve all Auth0 events regarding the issuance of vault temp creds for ldap users
    $event.metadata.log_type = "AUTH_ZERO"
    $event.principal.hostname = /^Temp Vault Client auth=ldap/ nocase

    // Extract LDAP user
    $ldap_user = re.regex($event.principal.hostname, "auth=([^ ]+) expires")

    $entity.graph.entity.hostname = $ldap_user
    $entity.graph.entity.domain.first_seen_time.seconds > 0

    // calculate time between first seen and last time seen 
    1209600 > timestamp.current_seconds() - $entity.graph.entity.domain.first_seen_time.seconds 


     match:
    $ldap_user over 24h

  outcome:
    // Alert Meta
    $alert_severity = array_distinct("HIGH")

    // Alert Details
    $principal_ip = array_distinct($event.principal.ip)
    $auth0_event_type = array_distinct($event.metadata.product_event_type)
    $auth0_signup_email = array_distinct($event.additional.fields["email"])
    $auth0_user_full_name = array_distinct($event.principal.user.userid)
    $network_org_name = array_distinct($event.principal.ip_geo_artifact.network.organization_name)
    $source_state = array_distinct($event.principal.location.state)
    $source_country = array_distinct($event.principal.location.country_or_region)
    $user_agent = array_distinct($event.network.http.user_agent)
    $referrer = array_distinct($event.network.http.referral_url)
    $principal_ip_asn = array_distinct($event.principal.ip_geo_artifact.network.asn)
}
  condition: 
  $event and $entity

 

 

Here's the error message:

: type mismatch between "entity.graph.entity.hostname" of type string and "$ldap_user" of type bool
line: 21 
column: 6-47

Is this possible in chronicle? 

@

Solved Solved
1 2 743
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Dimarsky
Staff
Reply posted on --/--/---- --:-- AM

I believe your issue is the use of re.regex instead of re.capture on line 12.

re.regex returns a bool (hence the error), while re.capture returns a string. 

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
Dimarsky
Staff
Reply posted on --/--/---- --:-- AM

I believe your issue is the use of re.regex instead of re.capture on line 12.

re.regex returns a bool (hence the error), while re.capture returns a string. 

Jump to Solution

Posted on --/--/---- --:-- AM
tayvionp
Bronze 1
Bronze 1
In response to Dimarsky
Reply posted on --/--/---- --:-- AM

Thanks,  this was the problem 

Jump to Solution
Top Solution Authors
View all