Article Number
000002808
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.x
O/S Version: 6
Issue
When writing a query only the following operators are available
- =
- !=
- begins
- contains
- ends
- exists
- !exists
- length
- regex
If you want to do a query that is a negative of one of these, for example
- not begins
- not contains
- not ends
Then there is no operator available for this. The reason for this is that such an operator would be very computationally expensive and performance would be very slow. There is however another way.
Resolution
In your report, use the following in your rule to display all usernames that do not begin with foo.
select: user.dst
where alert != '"Account Begins with Foo"