This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Rule Logic

Go to solution
Sachin
Contributor
Contributor

‎2021-05-19 01:28 AM

Hi All

 

Which one is correct 

1. user_dst!=ANY(user_src)

2. user_dst!=ALL(user_src)

What is the difference?

 

ESA Rule Creation 

Labels:
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-05-19 12:43 PM

http://esper.espertech.com/release-8.4.0/reference-esper/html/epl_clauses.html#epl-subqueries-anysome

The any subquery condition is true if the expression returns true for one or more of the values returned by the subquery.
...

The all subquery condition is true if the expression returns true for all of the values returned by the subquery.

 

That said....you should only use ANY() and ALL() when evaluating multi-valued meta (i.e.: meta keys that can contain more than one meta value, such as alias.hostaction, etc.)

JoshRandall_0-1621442463361.png

 

For metakeys like user.src and user.dst (which should only ever have a single meta value per event/session), you're better off using syntax like:

  • user_dst != user_src
  • user_dst NOT IN (user_src, event_user, username)

Mr. Mongo

View solution in original post

2 REPLIES 2

Go to solution
JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-05-19 12:43 PM

http://esper.espertech.com/release-8.4.0/reference-esper/html/epl_clauses.html#epl-subqueries-anysome

The any subquery condition is true if the expression returns true for one or more of the values returned by the subquery.
...

The all subquery condition is true if the expression returns true for all of the values returned by the subquery.

 

That said....you should only use ANY() and ALL() when evaluating multi-valued meta (i.e.: meta keys that can contain more than one meta value, such as alias.hostaction, etc.)

JoshRandall_0-1621442463361.png

 

For metakeys like user.src and user.dst (which should only ever have a single meta value per event/session), you're better off using syntax like:

  • user_dst != user_src
  • user_dst NOT IN (user_src, event_user, username)

Mr. Mongo

Go to solution
Sachin
Contributor
Contributor
In response to JoshRandall

‎2021-05-31 02:25 AM

Thank you @JoshRandall 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.