000026844 - How to get IPDB reports from specific device types correctly in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026844
Applies ToRSA Security Analytics
RSA Security Analytics IPDB Extractor
RSA Security Analytics Reporting Engine
IssueHow to get IPDB reports from specific device types correctly in RSA Security Analytics.
Resolution

In the report Rule, in addition to including the List as a filter, you also need to specify the device types in the Where clause.
For example, if you are trying to obtain data from device types "aix" and "rhlinux", your List would need to have NIC:IPDB:IPDB-ES:AIX:* and NIC:IPDB:IPDB-ES:RHLINUX:* as the List Values while the Where clause would need to be "device.type='aix' OR device.type='rhlinux'".
So the Rule will look something like:


Rule Type: IPDB
Name: AIX and RHLINUX
Select: time, device.type, device.ip, ip.src, alias.host, user.dst, fqdn
Event Source: $[/IPDBDeviceList] <== this is the List you have created with List Values of NIC:IPDB:IPDB-ES:AIX:* and NIC:IPDB:IPDB-ES:RHLINUX:*
Where: device.type='aix' OR device.type='rhlinux'  <== without this the results returned will include data from other device types as well.

Legacy Article IDa65448

Attachments

    Outcomes