This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

how to use Or Condition

Posted on 10-02-2024 10:28 AM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

So I have a code for Lateral Movement


rule Lateral_Mov {

  meta:
    author = "Anurag Singh"
    description = "Vertical Lateral Movement"
    severity = "Medium"

events:
    $e1.metadata.vendor_name = "Microsoft"
    $e1.metadata.product_event_type = "4625" // Failed Logon
    $e1.principal.hostname = $hostname
    $e1.target.user.userid = $user
   
    $e2.metadata.event_timestamp.seconds > $e1.metadata.event_timestamp.seconds

    $e2.metadata.vendor_name = "Microsoft"
    $e2.metadata.product_event_type = "4624" // Successful Logon
    $e2.principal.hostname = $hostname
    $e2.target.user.userid = $user


    $e3.metadata.event_timestamp.seconds > $e2.metadata.event_timestamp.seconds

    $e3.metadata.vendor_name = "Microsoft"
    $e3.metadata.product_event_type = "4720" // New Account Creation
    $e3.principal.hostname = $hostname
    $e3.principal.user.userid = $user

    $e4.metadata.event_timestamp.seconds > $e3.metadata.event_timestamp.seconds

    $e4.metadata.vendor_name = "Microsoft"
    $e4.metadata.product_event_type = "4672" // Privilege Escalation
    $e4.principal.hostname = $hostname
    $e4.principal.user.userid = $user


  match:
    $hostname, $user over 1h

  outcome:
    $risk_score = 50

  condition:
    #e1 > 3 and $e2 and $e3 OR $e4
   
}



what I want over here is that there should be an OR between e3 and e4
Like if there is New Account Creation or privelege escalation (any one or both) this use case should trigger. 


But it's showing an error that 
validating intermediate representation: invalid use of OR. Multiple events should not be joined with OR

How to do this?
Can anyone help?



Solved Solved
0 3 158
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

hi @asinghz297,

How about using the $e3 condition, to choose either event type 4720 or 4672, like below?

 

rule Lateral_Mov {

  meta:
    author = "Anurag Singh"
    description = "Vertical Lateral Movement"
    severity = "Medium"

events:
    $e1.metadata.vendor_name = "Microsoft"
    $e1.metadata.product_event_type = "4625" // Failed Logon
    $e1.principal.hostname = $hostname
    $e1.target.user.userid = $user
   
    $e2.metadata.event_timestamp.seconds > $e1.metadata.event_timestamp.seconds

    $e2.metadata.vendor_name = "Microsoft"
    $e2.metadata.product_event_type = "4624" // Successful Logon
    $e2.principal.hostname = $hostname
    $e2.target.user.userid = $user


    $e3.metadata.event_timestamp.seconds > $e2.metadata.event_timestamp.seconds

    $e3.metadata.vendor_name = "Microsoft"
    ($e3.metadata.product_event_type = "4720" or $e3.metadata.product_event_type = "4672")  // New Account Creation
    $e3.principal.hostname = $hostname
    $e3.principal.user.userid = $user


  match:
    $hostname, $user over 1h

  outcome:
    $risk_score = 50

    $LateralMovementProcess = array_distinct(strings.concat("The following host '", $hostname, "' logged in by the user '", $user, "' performed Lateral Movement via an initial 'Failed Logon', followed by a 'Successful Logon' and then a '", if($e3.metadata.product_event_type = "4720", "New Account Creation", "Privillege Escalation")))
  condition:
    #e1 > 3 and $e2 and $e3
}

 





Kind Regards,


Ayman Charkaui

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

OR is not a supported operator in condition at this time.

My initial thought would be to try something like the following

-Eliminate the e3/e4 time bit since you are just looking for one or the other.

-Change the e3/e4 syntax to be something like this 

    $e3.metadata.vendor_name = "Microsoft"
    ($e3.metadata.product_event_type = "4720" // New Account Creation or
$e3.metadata.product_event_type = "4672" // Privilege Escalation)
    $e3.principal.hostname = $hostname
    $e3.principal.user.userid = $user

And then you can use a condition of  

#e1 > 3 and $e2 and $e3

Again, you will likely need to tune it and tweak a bit but hopefully that helps get you in the right direction

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

@jstoner 

can you check

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

hi @asinghz297,

How about using the $e3 condition, to choose either event type 4720 or 4672, like below?

 

rule Lateral_Mov {

  meta:
    author = "Anurag Singh"
    description = "Vertical Lateral Movement"
    severity = "Medium"

events:
    $e1.metadata.vendor_name = "Microsoft"
    $e1.metadata.product_event_type = "4625" // Failed Logon
    $e1.principal.hostname = $hostname
    $e1.target.user.userid = $user
   
    $e2.metadata.event_timestamp.seconds > $e1.metadata.event_timestamp.seconds

    $e2.metadata.vendor_name = "Microsoft"
    $e2.metadata.product_event_type = "4624" // Successful Logon
    $e2.principal.hostname = $hostname
    $e2.target.user.userid = $user


    $e3.metadata.event_timestamp.seconds > $e2.metadata.event_timestamp.seconds

    $e3.metadata.vendor_name = "Microsoft"
    ($e3.metadata.product_event_type = "4720" or $e3.metadata.product_event_type = "4672")  // New Account Creation
    $e3.principal.hostname = $hostname
    $e3.principal.user.userid = $user


  match:
    $hostname, $user over 1h

  outcome:
    $risk_score = 50

    $LateralMovementProcess = array_distinct(strings.concat("The following host '", $hostname, "' logged in by the user '", $user, "' performed Lateral Movement via an initial 'Failed Logon', followed by a 'Successful Logon' and then a '", if($e3.metadata.product_event_type = "4720", "New Account Creation", "Privillege Escalation")))
  condition:
    #e1 > 3 and $e2 and $e3
}

 





Kind Regards,


Ayman Charkaui

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

OR is not a supported operator in condition at this time.

My initial thought would be to try something like the following

-Eliminate the e3/e4 time bit since you are just looking for one or the other.

-Change the e3/e4 syntax to be something like this 

    $e3.metadata.vendor_name = "Microsoft"
    ($e3.metadata.product_event_type = "4720" // New Account Creation or
$e3.metadata.product_event_type = "4672" // Privilege Escalation)
    $e3.principal.hostname = $hostname
    $e3.principal.user.userid = $user

And then you can use a condition of  

#e1 > 3 and $e2 and $e3

Again, you will likely need to tune it and tweak a bit but hopefully that helps get you in the right direction

Jump to Solution
0 Likes
Top Solution Authors
View all