Renato Goncalves

RSA Log Decoder rule error

Discussion created by Renato Goncalves on Sep 20, 2018
Latest reply on Sep 27, 2018 by Renato Goncalves

Hello everyone,

 

I recently noted that we are obtaining an error in the log decoder configurations.

 

Two of the rules that are configured ara highlighted. The rules are

 

nw30060 and account:logon-success-direct-access.

 

They have the following syntax:

 

nw30060: reference.id='528','540','4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')

 

account:logon-success-direct-access ((ec.activity='Logon' && ec.outcome='Success') || (event.cat.name='User.Activity.Successful Logins')) && logon.type='2','10'

 

I tried to test them in the reports view but i also noticed that the meta have disappeared and is now retrieving the following information:

 

Schema fetched from data source is null for data source xxxxx. I tried do use all the date sources that we have and it stays the same

 

 

Regards 

Outcomes