This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Comparing two different types of meta in ESA Rule

Go to solution
MaximMarchenko
Occasional Contributor
Occasional Contributor

‎2020-12-28 11:23 PM

Hello.

 

It may be a stupid question but I'm not a programmer.

 

So, how can I compare two different types of meta in ESA Rule(EPL) statement.

 

I need to compare string with string[]

user_dst which is string and host_src which is string[];

 

like this: user_dst != host_src (don't ask me why - due to Windows logs parsing things).

 

I understand that somehow I have to make string to be string[](or vice versa) to compare them.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to DaveGlover

‎2020-12-29 12:51 AM

Here's a good reference for working with string[] types: https://community.rsa.com/docs/DOC-104243#Multi-Va 

 

The getIntersection function is useful for correlating two string[] metakeys.

 

For your use case...if you need a case-sensitive match:

 

@RSAAlert
SELECT * FROM Event (
   user_dst = ANY(host_src)
);‍‍‍

...or if you need a case-insensitive match:

@RSAAlert
SELECT * from Event(
   isOneOfIgnoreCase(host_src,{user_dst})
);‍‍‍

 

Or for a mutli-event correlation...

@RSAAlert
SELECT * from PATTERN[EVERY
   (
   s1=Event(user_dst IS NOT NULL)
   )
  ->
   (
   s2=Event(host_src IS NOT NULL AND s1.user_dst=ANY(host_src))
   )
   WHERE
   timer:within(1 min)
];‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Mr. Mongo

View solution in original post

4 REPLIES 4

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2020-12-28 11:37 PM

Maxim

 

I don't have the syntax handy at the moment, but the function you are looking for is an 'intersection'

 

In the morning I will post an example of the syntax that you will need to use

 

Dave

0 Likes

Go to solution
MaximMarchenko
Occasional Contributor
Occasional Contributor
In response to DaveGlover

‎2020-12-29 12:30 AM

Thank you, will be waiting for your answer.

0 Likes

Go to solution
JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to DaveGlover

‎2020-12-29 12:51 AM

Here's a good reference for working with string[] types: https://community.rsa.com/docs/DOC-104243#Multi-Va 

 

The getIntersection function is useful for correlating two string[] metakeys.

 

For your use case...if you need a case-sensitive match:

 

@RSAAlert
SELECT * FROM Event (
   user_dst = ANY(host_src)
);‍‍‍

...or if you need a case-insensitive match:

@RSAAlert
SELECT * from Event(
   isOneOfIgnoreCase(host_src,{user_dst})
);‍‍‍

 

Or for a mutli-event correlation...

@RSAAlert
SELECT * from PATTERN[EVERY
   (
   s1=Event(user_dst IS NOT NULL)
   )
  ->
   (
   s2=Event(host_src IS NOT NULL AND s1.user_dst=ANY(host_src))
   )
   WHERE
   timer:within(1 min)
];‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Mr. Mongo

Go to solution
MaximMarchenko
Occasional Contributor
Occasional Contributor
In response to JoshRandall

‎2020-12-29 01:12 AM

Thank you, looks like what I want:

@RSAAlert
SELECT * FROM Event (
   user_dst != ANY(host_src)
);
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.