NetWitness Community

I have something like that:

Cache Set

Name Associate With Variable

SourceIP client_ip

Device Set

Device Group Name Operator

WebServers

Event Set

Event Type/Device Type Comparison Value/Mask Operator

Event Category/apachewebuds IN Content.Web Traffic

Filter Set

Variable Comparison Value Cache Value Case Operator

status IN 400

401

402

403

404

405

500

501

502

503

504

false

false

false

false

false

false

false

false

false

false

false And

client_ip NOT IN 172.18.47.254

194.224.15.34

and i need to convert to EPL code.

Thanks

2016-11-03 15:35 GMT+01:00 Naushad Kasu <no-reply@rsa.com>:

 

<https://community.rsa.com/?et=watches.email.thread>

Re: How to create alert with variable set and filter set?

 

reply from Naushad Kasu

<https://community.rsa.com/people/psGMi56HbaehtdgCfBAG3odxAUvR7AXvWAoBnEVSrTM=?et=watches.email.thread>

in RSA NetWitness Suite - View the full discussion

<https://community.rsa.com/message/882142?commentID=882142&et=watches.email.thread#comment-882142>

Can you post a screenshot?  The copy/paste of your text was malformed and hard to understand the syntax.

Sorry and thanks.

2016-11-03 15:42 GMT+01:00 Naushad Kasu <no-reply@rsa.com>:

 

<https://community.rsa.com/?et=watches.email.thread>

Re: How to create alert with variable set and filter set?

 

reply from Naushad Kasu

<https://community.rsa.com/people/psGMi56HbaehtdgCfBAG3odxAUvR7AXvWAoBnEVSrTM=?et=watches.email.thread>

in RSA NetWitness Suite - View the full discussion

<https://community.rsa.com/message/882146?commentID=882146&et=watches.email.thread#comment-882146>

I don't see any mappings in Security Analytics for 'status' and 'client_ip' from enVision but if you can find out which keys in Security Analytics have those values (401, 402 etc.. for status and the IP addresses for client_ip), then your query will be as follows:

status = '400','401','402','403','404','405','500','501','502','503','504' && client_ip != '172.18.47.254','194.224.15.34'

Just replace 'status' and 'client_ip' in the above syntax with the actual keys from Security Analytics after you investigate further.  Also note the "false" in enVision means to run the search case-insensitive but the NWDB in Security Analytics is already case agnostic so there is no flag for that in Security Analytics.

Note, you may also need to add in there: && event.cat = 'Content.Web Traffic' to filter further on just that data set.

Ok, thanks for all.

Elena

2016-11-03 15:52 GMT+01:00 Naushad Kasu <no-reply@rsa.com>:

 

<https://community.rsa.com/?et=watches.email.thread>

Re: How to create alert with variable set and filter set?

 

reply from Naushad Kasu

<https://community.rsa.com/people/psGMi56HbaehtdgCfBAG3odxAUvR7AXvWAoBnEVSrTM=?et=watches.email.thread>

in RSA NetWitness Suite - View the full discussion

<https://community.rsa.com/message/882150?commentID=882150&et=watches.email.thread#comment-882150>

Sorry, a question more.

I have to definite SourceIP, could be:

create variable string sourceIp;

Is correct??

2016-11-03 15:54 GMT+01:00 Elena Maria <elena.maria@vintegris.com>:

Ok, thanks for all.

 

Elena

 

2016-11-03 15:52 GMT+01:00 Naushad Kasu <no-reply@rsa.com>:

 

>>

>> <https://community.rsa.com/?et=watches.email.thread>

>> Re: How to create alert with variable set and filter set?

>>

>> reply from Naushad Kasu

>> <https://community.rsa.com/people/psGMi56HbaehtdgCfBAG3odxAUvR7AXvWAoBnEVSrTM=?et=watches.email.thread>

>> in RSA NetWitness Suite - View the full discussion

>> <https://community.rsa.com/message/882150?commentID=882150&et=watches.email.thread#comment-882150>

>>

What do you mean you have to define the SourceIP?  Where is it asking you to do that?