Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000026844 - How to get IPDB reports from specific device types correctly in RSA Security Analytics

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Sep 23, 2019

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000026844
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: IPDB Extractor, Reporting Engine RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x Platform: CentOS O/S Version: EL6
Issue	How to get IPDB reports from specific device types correctly in RSA Security Analytics.
Resolution	In the report Rule, in addition to including the List as a filter, you also need to specify the device types in the Where clause. For example, if you are trying to obtain data from device types "aix" and "rhlinux", your List would need to have NIC:IPDB:IPDB-ES:AIX:* and NIC:IPDB:IPDB-ES:RHLINUX:* as the List Values while the Where clause would need to be "device.type='aix' OR device.type='rhlinux'". So the Rule will look something like: Rule Type: IPDB Name: AIX and RHLINUX Select: time, device.type, device.ip, ip.src, alias.host, user.dst, fqdn Event Source: $[/IPDBDeviceList] <== this is the List you have created with List Values of NIC:IPDB:IPDB-ES:AIX:* and NIC:IPDB:IPDB-ES:RHLINUX:* Where: device.type='aix' OR device.type='rhlinux' <== without this the results returned will include data from other device types as well.
Legacy Article ID	a65448

Attachments

Outcomes

0 Comments

Recommended Content