Jump to content
We've recently updated our Privacy Statement, available here. ×

Custom Alert Question

creosec labs

Recommended Posts

Since the "ThisAccountName"username has static credentials on allservers and has unrestricted sudo role (able to execute any command) anyone with knowledge of the password to "ThisAccountName" can remotely login to any server. Since we cant restrict related sudo role and unable to use SSH keys for authentication I am asking to notify in case if "ThisAccountName"username is used to login from any device except certain IP Addresses.

So I would like to create some type of rule where if I see "ThisAccountName" username coming from any other IP address except those known 3 IP Addresses then I would ike to get alerted. So the logs show that this is the normal action message:

"'Accepted password for "ThisAccountName" usernamefrom" AND NOT ("XXX.XXX.XXX.123" or "XXX.XXX.XXX.456" or "XXX.XXX.XXX.789")

Is it a boolean expressiont that I need


Thanks in advance

Link to comment
Share on other sites



A boolean search filter is best used for'Yes' or 'No' situations. In your scenario, you are needing a Match pattern1 but don't match pattern2,3,4. So it will require a Regular expression search filter to be created and be used with the alert. To do this, you can navigate toHome > Search > All Search Filters. Here you can choose the option "Regular Expression". You can work on a regex that can perform the matching the way you want it. I have an example:ThisAccountName(|(!^123$)|(!^456$)|(!^789$))

That above regex will match the word ThisAccountName and will not match anything that has 123, 456, 789. This is an example of how regex with Match pattern1 AND NOT patternXlooks like. You can try building a similar one for the exact scenario and use that in your alert.

If you need further assistance with this and would require some advanced help, don't hesitate to create a support ticket with us at support.tibco.com. Hope this helps!



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...