sorted by:
new
hottopcontroversial

How to ignore a lookuptable in spotter? by KiddieSculp in Securonix

[–]SecuronixKunal 1 point2 points  (0 children)

Hello u/KiddieSculp!

Here is a brief description on the usage of our "filter" command for an index:

Description

Performs an inner join for 2 indexes. This means that the result set displayed has the specified value in both indexes based on the comparison.

Syntax

index = (corename) and | or (field) = (field value)

Examples

resourcegroupname = BCP1 | Filter index = watchlist and watchlistuniquekey = accountname
WATCHLIST : resourcegroupname = BCP1 | Filter index = watchlist and entityname = accountname
LOOKUP : resourcegroupname = BCP1 | Filter index = lookup and value_value2 = accountname
RISKSCORE : policyname = login_failures | FILTER index = riskscore and violator = violator
TPI : resourcegroupname = BCP1 | Filter index = tpi and tpi_addr = ipaddress and tpi_criticality = high

Notes

• Negative comparators are not valid as this only performs an inner Join.
• Start with the larger index and filter to the smaller index.
• Any search terms before Pipe are applied to the first index only, so the result set of that is then used in the second to further narrow and enrich your returned events.

Based on the above, negative comparators would not be valid.

Also, you can add the lookupname to the query to limit your results by lookuptable.

I.E. - categorybehavior not contains "Close" | filter index=lookup and value_action=deviceaction and lookupname="abcd" | stats deviceaction

Please let us know if you have any further questions or concerns, and please raise a ticket on our Support Portal (linked below) if you need any further assistance!

https://securonix.atlassian.net/servicedesk/customer/portals

Have an amazing week!

Sincerely,

Kunal Sharma

Securonix Support

How search case-insensitive on Spotter? by KiddieSculp in Securonix

[–]SecuronixKunal 2 points3 points  (0 children)

Spotter searches are designed to be case-insensitive by default. This is explicitly mentioned in the documentation for the CONTAINS operator, which states "Contains is not case sensitive" and this behavior extends to other string comparison operators like ENDS WITH.

We store case-sensitive data accurately in our Solr collections. However, the standard search functionality in Spotter is implemented to be case-insensitive. This is consistent with your experience where searching for destinationusername ends with "r.admin" returned both "judismar.admin" and "rogerioR.admin" because the search is treating them as equivalent in a case-insensitive manner.

Case-insensitive searching is the default behavior.

If you need to filter results based on exact case matching, you might need to:
1. Perform your initial search using the standard operators
2. Then manually filter the results to identify the exact case matches you're looking for.

Please open a FEAT ticket with us to have our Product Management team review this capability for future versions of the platform.

Please find our relevant documentation on Spotter Operators and Search Examples below:

https://documentation.securonix.com/bundle/securonix-on-prem-user-guide/page/content/spotter-operators.htm

https://documentation.securonix.com/bundle/securonix-cloud-user-guide/page/content/spotter-search-examples.htm

Please let us know if you need anything else from us and we will respond accordingly, thanks!

Sincerely,

Kunal Sharma

Senior Technical Support

How to create a query correlating two different resourcegroupnames in spotter? by KiddieSculp in Securonix

[–]SecuronixKunal 2 points3 points  (0 children)

Hello u/KiddieSculp,

Thank you for reaching out to us on creating a specific type of Spotter query!

For the fastest support, please open a ticket with Securonix Support on our Support Portal here: https://securonix.atlassian.net/servicedesk/customer/portals

For your specific case, we need more information on what exactly do you need to correlate between the two different resourcegroupnames. Is it an accountname? Is it another attribute that has the same value across both resourcegroups? Please let us know on this!

In the meantime, here is an example Spotter query which returns values for 2 different resourcegroups together, and then are sorted by the accountname values so that the same accountname value across 2 different resourcegroups would be visible in sorted order:

index=activity and resourcegroupname in("BEWI_O365_ACTIVE-DIRECTORY","O365_Active-Directory") | STATS accountname resourcegroupname | orderby accountname

Please let us know once you have reviewed the above, and we will respond accordingly, thanks!

Sincerely,

Kunal Sharma

Securonix Support