Match event to two Active List columns
I wanted to know if anyone has ever been successful matching two active list fields (one key and one non-key) to one event field for a report. In a nutshell, if I have an active list showing domain location and domain name(mapping to attacker or target host name with a variable)...am I able to query on both and match them to an event? When I only query on the domain name key field, the report seems to take forever to run and never finishes. I am using "get list" and "custom condition variables" and a fields-based list with one key field. How can I use the non-key field to help narrow down the list searching if that field is not an arcsight field? I want the report to show me all active list and base event values when that domain name showed in an event. But if I add a variable using the domain location field, I get SQL join errors when testing in a query viewer.
Re: Match event to two Active List columns
could you post 2 AL you've mentiond on this post so that I have a better idea? If you can post the arb package, then would be better so that I have a better understading of your content.