RSA enVision^® Discussions

RSAAdmin · ‎2011-04-18

Dear Guys,

1- the new tables after content 2 are not suffcient and are missing important fields

web accounting table vs web table (the coloum of URL is not parsed or shown if you run a query ) and if i would like to create an alert (for post HTTP method with executable content ) how Can i do This

in old web accounting table it was possible but now ????

2-i would like to know if it is possible to use mulitple tables in one report instead of one table

why i think of this

because imagine that you have an asset (web server ) and you collect IIS logs from it

now it will be much better if you can run a single report that will outline attacks generated against this website from (firewall perspective , IPS perspective , IIS perspective) instead of choosing one table at time

it would be great if there is shared variables between different tables.

and it can be very helpful for creating a consistent correaltion rule

With Warm Regards

RSAAdmin · ‎2011-04-20

Hello Mohamed,

1 - I don't understand the problem you are describing. There is definitely a URL field in the Web table in Content 2.0. If you are saying that your logs are is no longer parsing to that field, you can try posting your xml and a .unx sample here and someone from the community can take a look.

2 - No, there is no concept of a table join in the enVision reporting engine. What you can do is set your report to run against the Global table. That one is designed to pull data from a multitude of other tables so you can get the kind of cross-device correlation you are looking for in a report.

RSAAdmin · ‎2011-04-27

Dear Matt,

Thanks a lot for your reply

yes i mean that URL Coloum field is empty

i attached to you microsoftiis.xml file from the following path

e:/nic/4000/hostname/etc/devices

RSA enVision® Discussions

Multi table report and content 2

RSA enVision^® Discussions