2020-12-28 11:23 PM
Hello.
It may be a stupid question but I'm not a programmer.
So, how can I compare two different types of meta in ESA Rule(EPL) statement.
I need to compare string with string[]
user_dst which is string and host_src which is string[];
like this: user_dst != host_src (don't ask me why - due to Windows logs parsing things).
I understand that somehow I have to make string to be string[](or vice versa) to compare them.
2020-12-29 12:51 AM
Here's a good reference for working with string[] types: https://community.rsa.com/docs/DOC-104243#Multi-Va
The getIntersection function is useful for correlating two string[] metakeys.
For your use case...if you need a case-sensitive match:
@RSAAlert
SELECT * FROM Event (
user_dst = ANY(host_src)
);
...or if you need a case-insensitive match:
@RSAAlert
SELECT * from Event(
isOneOfIgnoreCase(host_src,{user_dst})
);
Or for a mutli-event correlation...
@RSAAlert
SELECT * from PATTERN[EVERY
(
s1=Event(user_dst IS NOT NULL)
)
->
(
s2=Event(host_src IS NOT NULL AND s1.user_dst=ANY(host_src))
)
WHERE
timer:within(1 min)
];
2020-12-28 11:37 PM
Maxim
I don't have the syntax handy at the moment, but the function you are looking for is an 'intersection'
In the morning I will post an example of the syntax that you will need to use
Dave
2020-12-29 12:30 AM
Thank you, will be waiting for your answer.
2020-12-29 12:51 AM
Here's a good reference for working with string[] types: https://community.rsa.com/docs/DOC-104243#Multi-Va
The getIntersection function is useful for correlating two string[] metakeys.
For your use case...if you need a case-sensitive match:
@RSAAlert
SELECT * FROM Event (
user_dst = ANY(host_src)
);
...or if you need a case-insensitive match:
@RSAAlert
SELECT * from Event(
isOneOfIgnoreCase(host_src,{user_dst})
);
Or for a mutli-event correlation...
@RSAAlert
SELECT * from PATTERN[EVERY
(
s1=Event(user_dst IS NOT NULL)
)
->
(
s2=Event(host_src IS NOT NULL AND s1.user_dst=ANY(host_src))
)
WHERE
timer:within(1 min)
];
2020-12-29 01:12 AM
Thank you, looks like what I want:
@RSAAlert
SELECT * FROM Event (
user_dst != ANY(host_src)
);