AnsweredAssumed Answered

Using Context Hub Lists for whitelisting in ESA rules

Question asked by Craig Cameron-Weir on Sep 4, 2019
Latest reply on Sep 4, 2019 by Joshua Randall

Just looking for a quick answer on the correct syntax for this.

I currently have a rule deployed that will alert only when a specific meta key is found in a CH list that's used as an enrichment in the rule. Syntax looks like this:

@RSAAlert(oneInSeconds=0)
@UsesEnrichment(name="Critical_Groups")

SELECT * from Event(
    medium = 32
    AND event_cat_name = 'User.Management.Groups.Modifications.User Added'
    AND EXISTS (SELECT * FROM Critical_Groups WHERE (LIST = Event.`group`))
)

What I'd like to do with a different use case is to alert when the meta key does NOT have a value from a list. Assuming I wanted to modify the above rule in this way (ie to trigger only when 'group' does not equal any value in the Critical_Groups enrichment), what's the right way to do it? Adding NOT in front of EXISTS didn't seem to do the trick, but I can't say for sure there's not some other issue with how I've set my test case up.

Outcomes