Can the content of a field be used in a regex condition in another field of the same event to trigger an alert?
Username is stored in the “subject” field, and should match the second directory in the object field where the item that was accessed is saved.
Subject: “username” Object: “C:\Users\content_of_subject_field\…” (Windows) or Object: "/home/content_of_subject_field/… (Unix), plus username ‘root’ accessing any /home/… directory.
Failed unauthorized access attempt: if the event status is “Audit_Failure”, and accesses: “ReadData or
WriteData”, and not matching case insensitive regex search: "\w:\Users\content_of_subject_field\.+"
a certain number of attempts over a period of time (e.g. 10 times in 5 minutes) by the same subject –
without the need to explicitly specify the Subject (it is a regex match of the content of Subject field
in object field).
Security incident following a single occurrence of an object access “AUDIT_SUCCESS” with Subject:
“subject”, and Object: “C:\Users\other_than_content_of_Subject_field\…”. An access of ReadData is a
breach of Confidentiality, WriteData is a breach of Integrity. ReadData may occur on its own, WriteData
is almost always coupled with ReadData. Either way, it is an incident that requires immediate response.
Can this be implemented in Graylog? If yes, any tips as to how to go about it?