New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Vice Admiral
Vice Admiral
510 views

Extract certain data from an Active List

Hi,

I have a question about the use of Active List.

So, for example,I have an active List with 3 fields

Source Address, Destination Address, Action

...

...

192.168.0.100 10.1.34.12    FTP Transfer

172.16.4.7    10.23.12.17   Virus Fouund

192.168.0.100 10.27.35.234  Server Rebooted

...

...

In the active list there can be more data with the same Source Address and different values of Destination Address and Action.

Now, I would like to do a rule that every time is fired, can extract all the raw from the Active List with the same Source Address that fired the rule and send by e-mail

192.168.0.100 10.1.34.12    FTP Transfer

192.168.0.100 10.27.35.234  Server Rebooted

Is it possible to do that?

Any suggestions are welcome.

Regards,

Luca Gabrielli

Labels (1)
0 Likes
2 Replies
Highlighted
Ensign Ensign
Ensign

Use Local Variable

GetActiveListValue

And add the local variables fields all in the aggregation in identical section

snapshot.PNG

0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hi, thank for your answer.

I would like to ask you how to use the variable in the rule.

rule.png

I have created a local variable "cattivo"  associated to the attacker address.

create variable.png

In the aggregation,(identical section) I have added only the local variable "cattivo"

aggregation.png

In the action tab, no action are enabled.

Now, what I don't understand, is where are located the information (all raws) from the Active List with the same Attacker

Address that fired the rule.

Whatching the correlator, I can't see any event about it.

Can you help me?

Thank in advance.

Luca Gabrielli

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.