This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

EPL Syntax Help for Arrays

RyanGarrett
Beginner
Beginner

‎2018-08-01 06:07 PM

Hello,

 

First, I'm very new to EPL and fairly new to NetWitness, so sorry for the basic question. I'm trying to modify the OOB "Malware Dropper" rule to not include events with certain alias_host fields.

 

I created a variable like so:

create variable string[] Dropper_Whitelist = {
'acroipm1.adobe.com',
'acroipm2.adobe.com',
'ardownload.adobe.com',
'support.content.office.mirosoft.com'
};

 

and am later doing:

 

...

AND
alias_host != any(Dropper_Whitelist)

...

 

But the rule won't deploy, even though the Syntax checks out.

 

I believe the problem is that I need to iterate over alias_host since it is an array and check each one individually against Dropper_Whitelist.

 

Can anyone provide some guidance?

 

Thanks.

1 REPLY 1

RyanGarrett
Beginner
Beginner

‎2018-08-03 01:51 PM

My solution, for it anyone else comes along behind me:

 

...

AND
alias_host.allOf(i => i != all(Dropper_Whitelist))

...

This iterates over alias_host as i and returns true if, and only if, I does not match any value in Dropper_Whitelist.

© 2022 RSA Security LLC or its affiliates. All rights reserved.