Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
sjalextaidri Absent Member.
Absent Member.
377 views

active list alike in logger (querying custom set of lists)

Hello,

I'm wondering if there is a way that we can build list of some IP addresses or hostnames into a list that can be query within ArcSight Logger (not ESM)?

Example, something like the below imaginative query:

deviceVendor=XYZ AND (sourceAddress IN [list_IP1, list_IP2] OR sourceHostName IN [list_host1, list_host2])

Where the lists can later be modified (add/remove) dynamically or manually by anyone who have permission to that list (like what ESM can do)?

Thanks.

Labels (2)
0 Likes
Reply
5 Replies
michael.selph Absent Member.
Absent Member.

Re: active list alike in logger (querying custom set of lists)

Unfortunately, there is no functionality like active lists in Logger.

0 Likes
Reply
sjalextaidri Absent Member.
Absent Member.

Re: active list alike in logger (querying custom set of lists)

Yeah, that's what I understand too from the Admin Guide.

However, I'm thinking if this is something good that ArcSight want to consider to add for the future release of their logger OS.

Wonder if there any workaround or trick that can do similar to this by other means from forum here. Anyway thanks for your reply

0 Likes
Reply
aaronhofer Absent Member.
Absent Member.

Re: active list alike in logger (querying custom set of lists)

One simple method of injecting small amounts of custom data into a report is to use the IF Statement.

IF(arc_sourceAddress STARTSWITH "192.168", "Private", "Public") AS "Scope"

That would create a Scope column and populate it with "Private if the sourceAddress starts with 192.168 and it would put "Public" in all other cases.

You could also nest IF statements like this:


SELECT

arc_sourceAddress as "Src IP",

IF(arc_sourceAddress STARTSWITH "192.168", "Class C",

   IF(arc_sourceAddress BETWEEN inet_aton_net("172.16.0.0/12") AND inet_aton_bc("172.16.0.0/12"), "Class B", IF(arc_sourceAddress STARTSWITH "10.", "Class A", "Public"))) AS "Network Type"

FROM events

The above query would give you the souceAddress and whether or not it's a Class A, B, C or Public IP.

0 Likes
Reply
sjalextaidri Absent Member.
Absent Member.

Re: active list alike in logger (querying custom set of lists)

Thanks for sharing

This looks cool...

Btw, can this be done in reverse way? Instead of feeding the status based on condition (e.g.: 10.x.x.x is Class A, etc.) into a custom data called Scope1, could it be possible if I defined the Scope1 manually then use it as criteria for the query? something like:

SELECT ...

WHERE <field> IN Scope1

0 Likes
Reply
aaronhofer Absent Member.
Absent Member.

Re: active list alike in logger (querying custom set of lists)

If you are talking about only referencing a single field, yes you can do that quite easily and you are almost there already.

SELECT arc_destinationUserName, ...

FROM events

WHERE arc_destinationUserName IN ('BOB', 'SUE', 'JANE')

You can also create a sort of "table in memory" in MySQL using UNIONs that basically group data together.  It's a little ugly but from what I've seen it executes quite fast on the logger and it's pretty good if you only have a small list of data to correlate. 

SELECT arc_destinationUserName, A.Manager

FROM events

JOIN

   SELECT 'BOB' AS UserName, 'JOHN DOE 1' AS Manager  

   UNION  

   SELECT 'SUE' AS UserName, 'JOHN DOE 2' AS Manager    

   UNION  

   SELECT 'JANE' AS UserName, 'JOHN DOE 3' AS Manager

) AS A  

ON UPPER(A.UserName) = UPPER(arc_destinationUserName)  

WHERE arc_destinationUserName IN ('BOB', 'SUE', 'JANE')

This query would give you events where the usernames were bob, sue or jane and would return you their manager as well as defined in the query.  I don't know what the upper limit is for how many UNION's you could have but I just tested this with something like 150 and it didn't complain while also executing very fast.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.