000031569 - How to use the "not begins" operator in an RSA Security Analytics Reporting Engine query

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031569
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.x
O/S Version: 6
IssueWhen writing a query only the following operators are available
  • =
  • !=
  • begins
  • contains
  • ends
  • exists
  • !exists
  • length
  • regex
If you want to do a query that is a negative of one of these, for example 
  • not begins
  • not contains
  • not ends
Then there is no operator available for this. The reason for this is that such an operator would be very computationally expensive and performance would be very slow. There is however another way.
TasksTo solve this issue create an app rule that will tag the meta that you are interested,
For example, suppose you wanted to find all destination usernames that did not begin with foo.
You can create an app rule on your logdecoder as follows
  1. SA GUI -> Services -> Log Decoder ->Config
  2. App Rules Tab
  3. Create an App Rule with Rule Name "Account Begins with Foo"
  4. Condition is user.dst begins foo
  5. Sessions Options - Tick Alert and Alert on metakey "Alert"
  6. Apply the App Rule
Any usernames that begin with foo will now have the Meta "Account Begins with Foo" in the Alert metakey

ResolutionIn your report, use the following in your rule to display all usernames that do not begin with foo.
select: user.dst
where alert != '"Account Begins with Foo"