This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is it possible to use Arrays.contains with two variables?

Posted on 12-27-2022 07:22 AM
amalone341
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

In the documentation it seems that the arrays.contains function can be used like the following, 

arrays.contains($asset_id_list, "id_1234")

Is it possible to use the function with two variables so I can compare the list with a value in a UDM field?

The following code snippet shows a possible use case for this scenario:

 

rule Example_rule_for_arrays {

  meta:
    author = "amalone"
    description = "Look for a spike in failed logins for a User account followed by a successful login from an IP address associated with a fail"
    severity = "Low"

  events:
    $fail.metadata.event_type = "USER_LOGIN" 
    $fail.security_result.summary = /Failed/ nocase
    $fail.target.user.userid = $user
  
    $success.metadata.event_type = "USER_LOGIN"
    $success.security_result.summary = /Success/ nocase
    $success.target.user.userid = $user

    $fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds
  
  match:
     $user over 2d

  outcome:
    $Total_Fails = count($fail.target.user.userid) // count of total failed logins

    $Failed_login_IPs_Count = count_distinct($fail.principal.ip) // Number of IPs with a failed login to the User
    $Failed_login_IPs_List = array_distinct($fail.principal.ip) // Unique list of IPs with a failed login for the user

    $Success_login_IPs_Count = count_distinct($success.principal.ip) // Number of IPs with a Successful login to the User
    $Success_login_IPs_List = array_distinct($success.principal.ip) // Unique list of IPs with a Successful login for the user
     
  condition:
      // Look for at least 30 fails over 2 days from more than 3 IP addresses.
      // QUESTION: Is there a way to say "The value of $success.principal.ip exists inside of $Failed_login_IPs_List"
      //    note: I don't want to match off of the IP as well as that will cut down on the number of failed login logs
      // 
      // Want to do something like arrays.contains($Failed_login_IPs_List, $success.principal.ip) in the condition
    $fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30 
}

 

 

0 2 310
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
christianpaula
Staff
Reply posted on --/--/---- --:-- AM

Hi @amalone341,

Welcome to Google Cloud Community!

Yes, it is possible to use the `arrays.contains` function with two variables in the way you described. Here is how you can do it:
 
condition:
  arrays.contains($Failed_login_IPs_List, $success.principal.ip) and
  $fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30 ​

This will check if the value of `$success.principal.ip` exists in the list `$Failed_login_IPs_List`, and the rest of the condition will be evaluated only if this is true.
 
Note that the `arrays.contains` function returns a boolean value (either `true` or `false`), so you can use it directly in a condition like this.
 
Thanks

Posted on --/--/---- --:-- AM
amalone341
Bronze 3
Bronze 3
In response to christianpaula
Reply posted on --/--/---- --:-- AM

Hey Christian,

Thanks for the response! 

When I put that snippet of code into the rule it says there is an error on the $success part of $success.principal.ip. The error is as follows:

parsing: error with token: "success"
expected )
line: 41 
column: 44-51

Commenting out the following line will result in a rule that runs properly.

arrays.contains($Failed_login_IPs_List, $success.principal.ip) and

 

0 Likes
Top Solution Authors
View all