I want to create chart in which I can show total number of devices integrated with SIEM with respect to Device type. I tried to use sum_count() parameter in Rule. But I am not able to fetch this rule in chart. Is there any other ways to do so?
Can I use Lists to achieve this goal?
You could do something like the following.
Select line -- device.type, count(device.type)
Where - medium ="32"
That will show you all the different log types that you have in the system over the given time period.
You could possibly in a tabular report add in:
then line -- Lookup_and_add('device.ip','device.type')
You are correct in your observation that the "Then" is not an item you can select in the chart.
Here is something else you can try. This will count the number of devices for each device type.
Alias: Device Type, Device Count
This will show a list of device types with a count of device IP's like below. You should be able to chart these just fine.
Device Type Device Count
You could also try the following:
Alias: Device Type, Device Count
Unfortunately it is not as pretty but it will display something like the following:
Total countdistinct(device.ip) of device.type 28 <--This should be your device count
Total countdistinct(device.ip) of device.type 2 <-- This should your device type count
I just did some general testing using the "Then: sum_count(countdistinct(device.ip))", to see if it would work at all. This will not be available to select in a chart, at least that is what I found in my testing on 10.6.2. Hopefully this information will help with what you are trying to achieve.
Unfortunately We are using 10.2 version. I don't think this version support count/countdistinct etc value. I have received error as
Select clause ' device.type, countdistinct(device.ip) ' in the NextGen query can not have multiple columns when Group by is used.
Also, we can use these rules for reporting purpose only, right? We can't use this in Chart section?
You are correct countdistinct is only available in 10.5 and up. Report rules can be used for charts. Although you need to adhere to the following for chart rules.
You must select a rule that has a unique where clause and is summarized by session count or session size.
Only Netwitness (NWDB) rules are supported with Security Analytics 10.2
Report engine documentation link, in case you don't have it. Starting at page 227 addresses charts.
I'm not sure if you are aware of this, but RSA Security Analytics version 10.2 reached its End of Primary Support (EOPS) back in June of 2016. You can view the EOPS dates for our versions here: Product Version Life Cycle for RSA NetWitness Logs and Packets.
I would strongly recommend upgrading your RSA NetWitness deployment to the latest version of 10.6. If you're interested, our team can have a conversation with you to discuss the benefits of upgrading - there are honestly far too many to list here. I am confident that you would find value in upgrading.
There are several options available to you if you are not interested in upgrading the environment on your own using RSA's documentation. Our Global Services team performs major upgrades on a regular basis so if we can be of any assistance to you please don't hesitate to let me know. I'd be more than happy to connect with you to discuss.
Have a great weekend.
Jake Dorval | Global Services Product Lead (SPL) – RSA NetWitness® Suite | Global Services| Reston, VA
Mobile: +1 410-960-6988 | firstname.lastname@example.org | GMT (-4) Time Zone
RSA® NetWitness® Suite Community: https://community.rsa.com/community/products/netwitness
Medium is what is used to define whether you are looking at packets or logs. So if you have both packet decoders AND log decoders in your architecture AND your broker is consuming from both packet/log concentrators, you will want to define whether your query is a logs based query, packets based query, or both. Medium is the metakey that lets you do that. The examples below show how to use medium.
For LOGS ONLY start your query with:
For PACKETS ONLY start your query with:
For LOGS AND PACKETS no "medium =" is needed to prefix the query.
For architectures that only have Log collection or packet collection, no "medium=" is necessary as it is a singular type of data (logs only or packets only).