AnsweredAssumed Answered

EPL Syntax Help for Arrays

Question asked by Ryan Garrett on Aug 1, 2018
Latest reply on Aug 3, 2018 by Ryan Garrett

Hello,

 

First, I'm very new to EPL and fairly new to NetWitness, so sorry for the basic question. I'm trying to modify the OOB "Malware Dropper" rule to not include events with certain alias_host fields.

 

I created a variable like so:

create variable string[] Dropper_Whitelist = {
'acroipm1.adobe.com',
'acroipm2.adobe.com',
'ardownload.adobe.com',
'support.content.office.mirosoft.com'
};

 

and am later doing:

 

...

AND
alias_host != any(Dropper_Whitelist)

...

 

But the rule won't deploy, even though the Syntax checks out.

 

I believe the problem is that I need to iterate over alias_host since it is an array and check each one individually against Dropper_Whitelist.

 

Can anyone provide some guidance?

 

Thanks.

Outcomes