creosec labs Posted June 6, 2019 Share Posted June 6, 2019 Since the "ThisAccountName"username has static credentials on allservers and has unrestricted sudo role (able to execute any command) anyone with knowledge of the password to "ThisAccountName" can remotely login to any server. Since we cant restrict related sudo role and unable to use SSH keys for authentication I am asking to notify in case if "ThisAccountName"username is used to login from any device except certain IP Addresses. So I would like to create some type of rule where if I see "ThisAccountName" username coming from any other IP address except those known 3 IP Addresses then I would ike to get alerted. So the logs show that this is the normal action message: "'Accepted password for "ThisAccountName" usernamefrom" AND NOT ("XXX.XXX.XXX.123" or "XXX.XXX.XXX.456" or "XXX.XXX.XXX.789") Is it a boolean expressiont that I need Thanks in advance Link to comment Share on other sites More sharing options...
Manoj Tadakamalla Posted June 10, 2019 Share Posted June 10, 2019 Hi, A boolean search filter is best used for'Yes' or 'No' situations. In your scenario, you are needing a Match pattern1 but don't match pattern2,3,4. So it will require a Regular expression search filter to be created and be used with the alert. To do this, you can navigate toHome > Search > All Search Filters. Here you can choose the option "Regular Expression". You can work on a regex that can perform the matching the way you want it. I have an example:ThisAccountName(|(!^123$)|(!^456$)|(!^789$)) That above regex will match the word ThisAccountName and will not match anything that has 123, 456, 789. This is an example of how regex with Match pattern1 AND NOT patternXlooks like. You can try building a similar one for the exact scenario and use that in your alert. If you need further assistance with this and would require some advanced help, don't hesitate to create a support ticket with us at support.tibco.com. Hope this helps! Regards, Manoj. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now