This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to alert based on multiple meta keys?

UmaMaheshPadise
Beginner
Beginner

‎2017-07-27 11:45 AM

Hi,

Scenerio:

A log is parsed into below meta keys

   aba = 'xxxx'

   dda = 'yyyy'

   .....

 

I have blacklist of aba,dda pair

      blacklisted_account,aba1,dda1

      blacklisted_account,aba2,dda2

 

I need to alert if any log has aba=aba1 and dda=dda1

                         OR               aba=aba2 and dda=dda2

 

I should not alert when aba=aba1 and dda=dda2

 

-----------
One solution i have in mind is as below which i am not sure works.

To create custom meta key which is created while log is parsed by SA

          abadda = aba||'!'||dda

Feed is    

      tags,abadda

       blacklisted_account,aba1!dda1
       blacklisted_account,aba2!dda2

 

ESPER Alert

      'blacklisted_account'=ANY(tags)              

 

-------------

Hence i am looking for a way to create abadda (a custom meta key carved out of existing metakeys)

Or

Alternative way to accomplish above alerting.

 

Thanks,

Uma Mahesh | 7068402149

ADP

0 Likes
12 REPLIES 12

Anonymous
Not applicable
In response to UmaMaheshPadise

‎2017-07-31 11:09 AM

Since this is being done outside of the feed wizard, you'd likely need to script the process. Once the xml is created, a cron job could be created to retrieve the updated CSV and create the feed file using the NwConsole syntax.  Once created, that file could be pushed to the decoders and a feed reload issued.

0 Likes

UmaMaheshPadise
Beginner
Beginner
In response to Anonymous

‎2017-07-31 11:28 AM

So a cron job has to run on SA Broker

 

That does

 

1. Execute below commands in sequence

  • CURL http://application/feeds/multiblacklist.csv

  • NwConsole –c feed create multiblacklist.xml

  • cp *.feed /etc/netwitness/ng/feeds

  • NwConsole –c parsers feed op=notify

 

Uma

0 Likes

Anonymous
Not applicable
In response to UmaMaheshPadise

‎2017-07-31 11:31 AM

That would probably work.  SA server is one place.  NwConsole could be installed anywhere really.  As long as it can get the updated CSV and perform the other functions, it could be run from any system.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.