This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Conditional Categorization

JoeGumke
Beginner
Beginner

‎2017-09-29 08:52 AM

How do we properly categorize events with different fields populating needed information to categorize the event?

 

Sample Log:

 

2017-09-28 15:14:31.930^^AUDIT^^User Management Service^^samplehost^^Logged in. User's last login date updated^^themountain@westoros^^Login^^SUCCESS

 

Login and success are parsed two different fields. How do we categorize events that have multiple values to properly categorize this. This event would be categorized as :

 

One of the two :

User.Activity.Successful Logins

Auth.Successful

0 Likes
4 REPLIES 4

SravanKoneti1
Beginner
Beginner

‎2017-10-03 05:48 AM

Hi Joseph Gumke‌,

 

I understand Login and Success meta values coming in two different meta keys and you would like to categorize the event. Please use Application rule to categorize when two values found in the event. 

 

https://community.rsa.com/docs/DOC-64189 

0 Likes

JoeGumke
Beginner
Beginner
In response to SravanKoneti1

‎2017-10-04 11:54 AM

what inside of the log parser can we do this with? Its not sustainable for any customer to have hundreds/thousands of app rules to manage/deploy (ensure they are consistently deployed).

0 Likes

SravanKoneti1
Beginner
Beginner
In response to JoeGumke

‎2017-10-04 12:05 PM

Hi XDudADtNBir2yWTvsAvML3S8A4BmZKPAABc5iGXZy0M=‌, 

 

Yes. We can customize the existing parser using ESI tool. Please use below screenshot for reference.

 

ESI_EventCategory.PNG

1. Identify the message ID

2. Then mention Event Category

0 Likes

JoeGumke
Beginner
Beginner

‎2017-10-04 12:12 PM

thats statically assigning values to categories, which is not a good practice. we leverage tag value maps to make our parsers dynamic as possible, the less the amount of header/message parsers the better. So we now have situations where we cannot statically assign a category (successful authentication for instance) to an event that populates event.type = login, and result = successful to two different tags. I need a method where we can use the log parsing engine to properly categorize events that placed in two separate tags, and using some advanced logic to properly categorize events.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.