ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Pornsit
Lieutenant
Lieutenant
‎2021-01-04 10:58
324 views

Check Event with Active List

If I have this Active List, and set condition NOTInActiveList

Customer NameDestination User NameSource Address
TESTADMIN 
TEST 1.1.1.1

 

I want NOT event by checking AL and when some field has null value, I want to assume to anything like a wildcard.

For detail

Event Log A: CEF:0|Microsoft|Microsoft|1.0|traffic|monitor|Unknown| duser=ADMIN
Event Log B: CEF:0|Microsoft|Microsoft|1.0|traffic|monitor|Unknown| src=1.1.1.1

A missing src field, B missing duser field but I want to NOT these two event because field exist has match in AL. (do not check null field)

Somebody has solution please describe me, Thanks in advance.

0 Likes
Report Inappropriate Content
3 Replies
LewisJ
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
‎2021-01-05 01:23

Hi @Pornsit ,

If I understand correctly, you want a condition in a rule that says look up the active list value where the following conditions occur?

NOT (

OR (

AND (

activelistlookup.sourceUserName = admin and activelistlookup.sourceAddress is NULL

)

AND (

activelistlookup.sourceAddress = 1.1.1.1 and activelistlookup.sourceUserName is NULL

)

)

You should be able to do this by first creating a Local Variable in the rule for an ActiveList.

Call this variable (for example) "activelistlookup". Then in the conditions tab, you should be able to right click, go down to variables and see the activelistlookup.XXXXXX field names for the fields in your activelist. 

You may have to play around with key fields etc.... to get it working correctly, but this is a potential method in order to check individual fields within an activelist.

 

Let me know if this isn't super clear.

 

Thanks

 

Lewis

0 Likes
Report Inappropriate Content
Pornsit
Lieutenant
Lieutenant
‎2021-01-08 03:49

You mean I should create local variable with function GetActivelistValue, right?
We have ever use this function before and We
thought if null value in activelist can be over 20-30 field such as src,dst,shost,dhost,dvchost how can i check?
0 Likes
Report Inappropriate Content
Pornsit
Lieutenant
Lieutenant
‎2021-01-08 04:01

Focus on my use case
AL has below
Customer Name: test
Destination User Name: admin
Source Address:

Event Log A: CEF:0|Microsoft|Microsoft|1.0|traffic|monitor|Unknown| duser=admin src=7.7.7.7

You will see 7.7.7.7 in log do not match in active list because active list has null src
when you use key field to getActiveListValue it must require key field.

By concept this event it must be not in rule because duser match in activelist, src in activelist is null it must be wildcard it means it must match anything
0 Likes
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.