I am trying to create a rule that will determine if two VPN sessions were started for the same user from two different IP addresses without one session ending first. The problem I'm running into is that I can't figure out how to verify that the IP address in the first event differs from the IP address in the second event. Here's how the rule looks now. Is there a way to add something to the second event like "and ip.source != events[0].ip.source"?
sequence by user.id
[any where notification == "VPN Tunneling: Session started"]
[any where notification == "VPN Tunneling: Session started"]
until [any where notification == "VPN Tunneling: Session ended"]
At this time it is not possible to "pipe" information from one event to the query of the next.
That having said though. You might be able to use a threshold rule to get better results with this limitation. If you use a threshold grouped on user.name and use the unique values counter to detect source.ip of >= 2 you will detect vpn sessions started for 1 user from two different ip sources.
If you want to get real fancy you could even go for three detections:
The EQL you have as building block 1
The Threshold I mentioned as building block 2
An EQL rule which looks something like:
sequence by user.name with maxspan=15m
[any where signal.rule.name="building block 1]
[any where signal.rule.name="building block 2]
Which means if both the rules (both halves of the logic) have triggered, the final one will trigger and show up as a signal. The other two will be hidden by default as building blocks.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.