AnsweredAssumed Answered

How to Count Grouped Tags?

Question asked by Casey Vockrodt on Jul 31, 2019

In creating rules for NetWitness, I'm attempting to create a count rule (read: custom) that counts grouped meta tags. For example, consider the following data:

 

|    group.id       |    username    |    client      |

|     100             |         bob          |     audit      |

|     200             |        adam        |     sudo      |

|     100             |        adam        |       su        |

|     200             |        adam        |     sudo      |

|     100             |         bob          |     audit       |

 

With a rule definition of:

 

Summarize: Custom

Select: group.id, username, client, count(username)

Where:

Group By group.id, username, client

Then:

Order By:

Session Threshold: 0

Limit:

 

I expect output data like the following:

 

|    group.id       |    username    |    client      |      count        |

|     100             |         bob          |     audit      |           2         |

|     200             |        adam        |     sudo      |           2         |

|     100             |        adam        |       su        |           1         |

 

However, when I run this rule, I get (understandably) data like the following:

 

|    group.id       |    username    |    client      |      count        |

|     100             |         bob          |     audit      |           2         |

|     200             |        adam        |     sudo      |           3         |

|     100             |        adam        |       su        |           3         |

 

While I understand why my rule definition yielded the data it did, I'm at a loss to figure out how to get the data I want. How do I get the count for aggregated/grouped columns?

Outcomes