Hello everybody,
I hope you can help me out.
I have created a rule in EPL that should trigger whenever the corresponding event occurs in one of the metafields. I would also like to receive an alarm if a certain IP range occurs. In order not to list the entire IP range, I would like to use RegExp here. Can either of you tell me how to integrate RegExp into my rule?
My code looks like this, but unfortunately I get a syntax error:
SELECT * FROM
Event(
medium = 32 AND
ec_activity = 'Logon' AND
ec_theme = 'Authentication' AND
ec_outcome = 'Failure' AND
result = 'failed publickey' AND
(matchRegex(device_ip, "(10\.169\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))")) AND
user_dst IS NOT NULL AND
host_src IS NULL
).std:groupwin(user_dst_hash , device_ip , device_host).win:time_length_batch(120 seconds, 3) GROUP BY user_dst_hash , device_ip , device_host HAVING COUNT(*) = 3;
Hi Hidayat,
I have moved this thread to the RSA NetWitness Platform so that you can get an answer to your question.
You can post future questions and discussions directly to that community by clicking on the Ask a Question or Start a Discussion button on the RSA NetWitness Platform page.
Thanks,
Jeff