000017874 - 'Invalid query. Please verify' error in RSA Security Analytics investigations when using 'begins' or 'ends' for IP addresses

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017874
Applies ToRSA Security Analytics
Issue"Invalid query. Please verify" error in RSA Security Analytics investigations when using "begins" or "ends" for IP addresses.
When using the begins or ends clause in the Investigation UI to filter by IP address (i.e. Source IP Address) you get the following error:  Invalid query. Please verify.
CauseThis error in an RSA Security Analytics investigation occurs because the "begins" and "ends" clauses are meant for text values.  Because IP addresses are stored as IPv4/IPv6 value types, the clauses would not be applicable.
Resolution

The solution is to use the "=" clause with a CIDR notation. For example, to filter by source IP addresses that begin with "10.10", the entry below would be used.

Source IP address "=" 10.10.0.0/16

This will match the first 2 octets, i.e: 10.10

Legacy Article IDa66433

Attachments

    Outcomes