Anonymous_User Absent Member.
Absent Member.
462 views

Re: Create Advanced Filter for search

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is not a way to do this with Lucene queries, though the RDD
functionality within Sentinel was built for this type of thing and you
could probably do that and then report on data in there via a report of
your own.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQAKmUAAoJEF+XTK08PnB5zK8QAKJFFxOavcktXIJsGg1yzeDb
A9lPmHY8aJeDz5ukVTJCYfQLo12KVtXFmxFoflpkx21tcd/6iDIxJq8T/iBJh1PW
DvyDM9V0/x5kLbEa3i7snrP6jHGX+IhmzOtBftNvfTfBqT2M+DRparlJg4uABved
b3oTSoUxkxiGTI26DgwY5beYkufRx2VNWXhDcZcLHf5NITsfsyfdE2+x01+L/3tj
sm06V69GSsfT2JAFDX9VnSyVGBILSepaBtmNmPT4Dhvsv+vEWZhzDXIdSB8+kesa
aPTCCln3nI7ujVz0TdkBDpyiojDtJ3Fq4fLLEg0eKVBCyTb4KQ64dqVSClEKRFbd
8tx1h2jHlZdsOIzNt/bGrDWDEe7Ews/Bfv6O47ZtZZlF8Cx53gBaz8q0XfkJ2Qdm
PK/lKWF00HUjLnN/vZ6wxjBpMwPKL555+0B6ZOSCjMQjUB3DFhCN0fI4wrrmn/YT
vexqwfDi8Gt2G+1uA+dILeZ3rtXJICRY+0Yyp6UFLexkxeZslykdAKbTNKATTSI/
sD3D/npogXs8sgoZgUwk1gYJusGVx1MExw2It67VOmk4a+oUUBs5sxqcCaS3g3mf
F4fXCiGN6XN3tF+N+H+YUt9Mgp2XJ/9QiXy6mrs/XgYWzpMXSslqPFVOvbbKelYD
Adt6Nz2ylrUSGja68Bvi
=CQtX
-----END PGP SIGNATURE-----
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Create Advanced Filter for search


Hi AB,

Could you elaborate on your previous answer. I'm looking to do the
same thing for detecting a Set Password event when sun != dun. Can a
Correlation rule do this on a single event?

Thanks,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=2064

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Create Advanced Filter for search

Hi Kirk,

you can do it in RuleLG:

filter(e.XDASProvider = "0"
and e.XDASRegistry = "0"
and e.XDASClass = "0"
and e.XDASIdentifier = "6"
and e.XDASOutcome = 0
and e.XDASDetail = 0
and e.InitiatorUserName != e.TargetUserName
)

Norbert

>>> On 02.10.2012 at 10:24, kmaule<kmaule@no-mx.forums.netiq.com> wrote:


> Hi AB,
>
> Could you elaborate on your previous answer. I'm looking to do the
> same thing for detecting a Set Password event when sun != dun. Can a
> Correlation rule do this on a single event?
>
> Thanks,
> Kirk


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Create Advanced Filter for search

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Otherwise the 'Data Synchronization' option I was talking abut is here
in the 7.x administration guide section 5.6:

https://www.netiq.com/documentation/sentinel70/s701_admin/data/bupyguo.html#bupyguo

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQax+FAAoJEF+XTK08PnB5LawQAJpGFJyf2WMQxUaggwpeyt/j
gCIqzwqHkjYGxMBPcW29YAHOjIVcKokbw0ffZeA7bJ0KCMaQiSUys+AOUdIXwLbo
44NrIM3cst/rryEzmACXtcMT9xfM6kOgNvbhN23gaXEEEiv3C8EVdaDR34G8cKnW
nCsEFQiEcAE7TeVTzK9Jq0qRxo4t8fn9tacOzOKeVV0aCMKhyDmBqwlalmoIO+lu
PCumSLQJEbI4aNy5Spv0Cvai0w4HHXqu3bklB4KcSW2wqRiwS1dvIhzgCiRD53Je
3Kh90Lacjmg3dik+ms3HiKhylmO4LLZ+j78aIBQkHQ2CpA+N/naCEA/yMKMBD/dN
jWNOY8znjv2AoDW4kg1no4+obslMDMK0d93xmgdilvHBFnjYoyZXsqVFujinfq0Z
RfLpRNU2xIvnagaU5rVRgRPJEuLB8YhaENsR/NHN9yNpSj2l/LRmMNmIDR889+BN
+lQp/UL+0gJ00a8X6Uu/lFrerjfBP8pGp6XLxZNtjhG9xvlN3NTY+erztW2/KrQp
a2XVBsnNw7FB446+cmIdDkZIiCXDrxlPwWdG9u8xUi7loqzLUoLJFKnN4NGD9n5O
thP1F5fdakAJM0UbI4szM1SGSXtyQOH3vJint9bslWzekV2C8+sAjCr1Wwci68W9
XLmm/2EkHqEYU0+Th5kt
=imAQ
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.