Article Number
000031569
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.x
O/S Version: 6
Issue
When writing a query only the following operators are available
- =
- !=
- begins
- contains
- ends
- exists
- !exists
- length
- regex
If you want to do a query that is a negative of one of these, for example
- not begins
- not contains
- not ends
Then there is no operator available for this. The reason for this is that such an operator would be very computationally expensive and performance would be very slow. There is however another way.
Task
To solve this issue create an app rule that will tag the meta that you are interested,
For example, suppose you wanted to find all destination usernames that did not begin with foo.
You can create an app rule on your logdecoder as follows
- SA GUI -> Services -> Log Decoder ->Config
- App Rules Tab
- Create an App Rule with Rule Name "Account Begins with Foo"
- Condition is user.dst begins foo
- Sessions Options - Tick Alert and Alert on metakey "Alert"
- Apply the App Rule
Any usernames that begin with foo will now have the Meta "Account Begins with Foo" in the Alert metakey
Resolution
In your report, use the following in your rule to display all usernames that do not begin with foo.
select: user.dst
where alert != '"Account Begins with Foo"