ArcSight Discussions
cancel

Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)

Youssef ElSayed
Contributor.

Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)

Hello,

I'm trying to make a rule that checks if the first or last name from the Source User Name exists in the Destinaion User Name, but unfortunately i cannot use neither "Contains" nor "In" with 2 fields, such as:

Destination User Name Contains LocalVariable1

Any advice on how to overcome this issue?

I'm using ArcSight 6.9.1

5 REPLIES
Highlighted
David Bau
Outstanding Contributor.

Re: Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)

Hello Youssef

You can try something like this

Create six variables, 

1. extracts the first name from the sourceusername

2. extracts the last name from the sourceusername

3. extracts the first name from the destinationusername

4. extracts the last name from the destinationusername

5. conditional variable that compares if the first names match

6. conditional variable that compares if the last names match

Group all of them to one global variable and use it as a filter or rule

 See example below

Be sure to keep in mind that you have lower/upper case chars (you can use the toupper or tolower vars to handle that)

Best regards

David

 

compare-names.PNG

local-vars.PNG

Global-var.PNG

Youssef ElSayed
Contributor.

Re: Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)

Thank you David for you prompt reply.

It's not clear how the comparison is made between the variables, would you please show me the condition that compares First or Last names? As the '=' operator already allows comparing 2 variables for an exact match.

But what i'm trying to do here is to check whether the first or last sourceUserNames are subsets or the destinationUserName, for example:

sourceUserName: youssef.elsayed@xyz.com

destinationUserName: youssef2017@gmail.com or yelsayed17@hotmail.com etc.

The aim of this rule is detecting similarities between the sender and the reciever E-Mails for monitoring data exfiltration.

I was able to extract the First and Last names from the sourceUserName (using basic methods as i'm not familiar with Regex), but trying to find a workaround the "Contains" operator.

Variables.PNG

Youssef ElSayed
Contributor.

Re: Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)

Hello David,

I might have found another "basic" way of doing it, by using index_of function. I check to find the index of the source first/last names in the DestinationUserName, if the returned value is >=0, then the name is a substring, else -1.

Example:

index_of(GetSourceFirstName, DestinationUserName) >= 0

or

index_of(GetSourceLastName, DestinationUserName) >= 0

Would you suggest any further enhancement?

David Bau
Outstanding Contributor.

Re: Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)

Hello Youssef

Your idea seems interesting as well. if it gets the job done than that's what matters :)

 

Regarding your question about conditional variables

This variable takes a runs against a condition and provides true or false options to be created on demand

Here are the conditional vars I used for this example

Cond1.PNGCond2.PNGCond3.PNG

By the way in may be much more effective to do all of this via the connector and not the console since you can use in the parser the extractregextoken and conditional mappings

Best regards

David

 

 

Youssef ElSayed
Contributor.

Re: Using "Contains" operator with 2 Fields (Destination User Name & Local Variable)

Thank you very much for your assistance.