Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000031569 - How to use the "not begins" operator in an RSA Security Analytics Reporting Engine query

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000031569
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics Server RSA Version/Condition: 10.5.x O/S Version: 6
Issue	When writing a query only the following operators are available = != begins contains ends exists !exists length regex If you want to do a query that is a negative of one of these, for example not begins not contains not ends Then there is no operator available for this. The reason for this is that such an operator would be very computationally expensive and performance would be very slow. There is however another way.
Tasks	To solve this issue create an app rule that will tag the meta that you are interested, For example, suppose you wanted to find all destination usernames that did not begin with foo. You can create an app rule on your logdecoder as follows SA GUI -> Services -> Log Decoder ->Config App Rules Tab Create an App Rule with Rule Name "Account Begins with Foo" Condition is user.dst begins foo Sessions Options - Tick Alert and Alert on metakey "Alert" Apply the App Rule Any usernames that begin with foo will now have the Meta "Account Begins with Foo" in the Alert metakey
Resolution	In your report, use the following in your rule to display all usernames that do not begin with foo. select: user.dst where alert != '"Account Begins with Foo"

Attachments

Outcomes

0 Comments

Recommended Content