In the rule below, the json_meta_content is looking to make sure the value of .Actor[2].Type is not 1 or 2 but in some of the logs the .Actor key isn't present. If the key isn't present the rule automatically fails. If the json_meta_content is being negated with ! then the rule should continue to process the rest of the rule. This may also be an issue with other json_* keywords.
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-AZURE-AD-GEOIP] Login from outside HOME_COUNTRY"; json_meta_content:!".Actor[2].Type",1,2; content:"ClientIP"; json_content: ".Workload", "AzureActiveDirectory"; json_content: ".Operation", "UserLoggedIn"; country_code: track by_src, isnot $HOME_COUNTRY; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: successful-user; sid:5004788; rev:2; metadata:updated_at 2023_08_01;)
In the rule below, the
json_meta_contentis looking to make sure the value of.Actor[2].Typeis not1or2but in some of the logs the.Actorkey isn't present. If the key isn't present the rule automatically fails. If thejson_meta_contentis being negated with!then the rule should continue to process the rest of the rule. This may also be an issue with otherjson_*keywords.alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-AZURE-AD-GEOIP] Login from outside HOME_COUNTRY"; json_meta_content:!".Actor[2].Type",1,2; content:"ClientIP"; json_content: ".Workload", "AzureActiveDirectory"; json_content: ".Operation", "UserLoggedIn"; country_code: track by_src, isnot $HOME_COUNTRY; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: successful-user; sid:5004788; rev:2; metadata:updated_at 2023_08_01;)