Custom Alert Question

[creosec labs]

Since the "ThisAccountName"username has static credentials on allservers and has unrestricted sudo role (able to execute any command) anyone with knowledge of the password to "ThisAccountName" can remotely login to any server. Since we cant restrict related sudo role and unable to use SSH keys for authentication I am asking to notify in case if "ThisAccountName"username is used to login from any device except certain IP Addresses.

So I would like to create some type of rule where if I see "ThisAccountName" username coming from any other IP address except those known 3 IP Addresses then I would ike to get alerted. So the logs show that this is the normal action message:

"'Accepted password for "ThisAccountName" usernamefrom" AND NOT ("XXX.XXX.XXX.123" or "XXX.XXX.XXX.456" or "XXX.XXX.XXX.789")

Is it a boolean expressiont that I need

 

Thanks in advance

[Manoj Tadakamalla]

Hi,

 

A boolean search filter is best used for'Yes' or 'No' situations. In your scenario, you are needing a Match pattern1 but don't match pattern2,3,4. So it will require a Regular expression search filter to be created and be used with the alert. To do this, you can navigate toHome > Search > All Search Filters. Here you can choose the option "Regular Expression". You can work on a regex that can perform the matching the way you want it. I have an example:ThisAccountName(|(!^123$)|(!^456$)|(!^789$))

That above regex will match the word ThisAccountName and will not match anything that has 123, 456, 789. This is an example of how regex with Match pattern1 AND NOT patternXlooks like. You can try building a similar one for the exact scenario and use that in your alert.

If you need further assistance with this and would require some advanced help, don't hesitate to create a support ticket with us at support.tibco.com. Hope this helps!

Regards,

Manoj.