Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
kluv Absent Member.
Absent Member.
549 views

Complex Join Condition

Jump to solution

I would like to track sessions both active and historical for a specific device feed when a user makes a connection.

The start of a session relies on 4 events from the same product triggering.

There are 2 fields in the 4 events that are identical, and I would like to write the data from 5 event fields into the Active and Session lists.

My "Session Start" rule is as follows:

[Conditions]

     Event conditions

          Matching Event

               & AND

               event1.Device Custom String6 = event2.Device Custom String6

               event1.Device Custom String6 = event3.Device Custom String6

               event1.Device Custom String6 = event4.Device Custom String6

     {} event1

          & AND

               Device Product = "X"

               Name = Y

               Device Custom String2 = some # as a string

               Type != Correlation

     {} event2

          & AND

               Device Product = "X"

               Name = Y

               Device Custom String2 = some # as a string

               Type != Correlation

     {} event3

          & AND

               Device Product = "X"

               Name = Y

               Device Custom String2 = some # as a string

               Type != Correlation

     {} event4

          & AND

               Device Product = "X"

               Name = Y

               Device Custom String2 = some # as a string

               Type != Correlation

[Aggregation] (Matches = 1 and Time Frame = 1 minute)

     event1.Device Custom String6

     event1.Device Host Name

     event3.Attacker User Name

     event1.Device Custom String4

[Actions]

     On First Event

          Set Event Field Actions

               Priority = 2

          Add To Active List

               Field: Attacker User Name

               Field: Device Custom String4

               Field: Device Host Name

               Field: Device Custom String6

               Resource: Path to Active List

          Add To Session List

               Field: End Time

               Field: Attacker User Name

               Field: Device Custom String4

               Field: Device Host Name

               Field: Device Custom String6

               Resource: Path to Session List

This rule is in enabled under Real-Time Rules. The device Product in question is active and report the event types specified in this rule within the aggregation timeframe. I confirmed there are no typo's.

My question becomes are there any constraints on Join Conditions? Can you perform a join condition as shown above?

I was thinking of making three rules instead, but I feel the above method must be possible, as I see no documentation that states otherwise.

0 Likes
Reply
1 Solution

Accepted Solutions
jgervais Absent Member.
Absent Member.

Re: Complex Join Condition

Jump to solution

You could break your complex join rule into 3 separate join rules as follows

rule 1: join condition on event 1 and event 2

rule 2: join condition on event 3 and event 4

rule 3: join condition on rule 1 and rule 2

Jason

View solution in original post

0 Likes
Reply
2 Replies
jgervais Absent Member.
Absent Member.

Re: Complex Join Condition

Jump to solution

You could break your complex join rule into 3 separate join rules as follows

rule 1: join condition on event 1 and event 2

rule 2: join condition on event 3 and event 4

rule 3: join condition on rule 1 and rule 2

Jason

View solution in original post

0 Likes
Reply
jgervais Absent Member.
Absent Member.

Re: Complex Join Condition

Jump to solution

For adding to the list use rule 3

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.