000026844 - How to get IPDB reports from specific device types correctly in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 23, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026844
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: IPDB Extractor, Reporting Engine
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueHow to get IPDB reports from specific device types correctly in RSA Security Analytics.
Resolution

In the report Rule, in addition to including the List as a filter, you also need to specify the device types in the Where clause.
For example, if you are trying to obtain data from device types "aix" and "rhlinux", your List would need to have NIC:IPDB:IPDB-ES:AIX:* and NIC:IPDB:IPDB-ES:RHLINUX:* as the List Values while the Where clause would need to be "device.type='aix' OR device.type='rhlinux'".
So the Rule will look something like:



Rule Type: IPDB
Name: AIX and RHLINUX
Select: time, device.type, device.ip, ip.src, alias.host, user.dst, fqdn
Event Source: $[/IPDBDeviceList] <== this is the List you have created with List Values of NIC:IPDB:IPDB-ES:AIX:* and NIC:IPDB:IPDB-ES:RHLINUX:*
Where: device.type='aix' OR device.type='rhlinux'  <== without this the results returned will include data from other device types as well.

Legacy Article IDa65448

Attachments

    Outcomes