Wednesday, June 23, 2010

ArcSight's indexOf variable - how I love thee

When we first were wading through the initial honeymoon period of having ArcSight and creating content we were often stymied by trying to compare two strings. This was back in the “olden” days of 4.0 when you couldn’t just throw 2 fields into the conditions editor like you can in 4.5 (field1 = field2; field1 != field2). What about instances when you wanted to compare two fields where something like a computer name in field1 was domain\computer name and the other was COMPUTERNAME$.

Scott P. from ArcSight’s professional services dropped by for a visit once. He says “yeah just use the indexOf variable” and shows us a few examples. I couldn’t believe how simple it was.

...don’t judge me – I haven’t done a lot of programming and what I have done was a while ago. IndexOf is probably old hat to a number of you and would have been obvious.

There are two main uses for this variable – at least from my perspective and how I have used it at least.
  • Seeing if a string matches or exists within another string
  • Finding the numeric point in the line, starting from the left, where the first occurrence of a string is found.
The first I don’t use so much anymore since 4.5. The result though is either the index/number of the start point for the string or a -1 meaning it isn’t there. If you can use the conditions tab in your filter/query/whatever you might be able to get away with a contains or like on the string itself (eg does field1 contains “X” and field2 contains “X”). That isn’t dynamic though. If you are chaining together a few variables you might use this a bit more (in 4.5) but again there are other variables that might be more suited depending on what you are doing. ….now that I think about it this might have some use as a marginally useful replacement for a conditional evaluation variable for a query against a Trend or Active List since that variable isn’t an option on those two query sources…. If you ARE using 4.0 or an earlier version then this is the variable where you would compare the two fields. Create the variable after manipulating the data in field1 and field2, then put either the raw fields or previously created variables into the dropdown option for this variable. Now you can put this variable in the conditions tab and do your greater than/less than/equal to 0 or whatever based on what you are doing. Comparing two IPs is a pain and takes a chain of something like 20 variables if I remember right.

The second main use of this variable for me is one I use much, much more often. That is using this variable with other variables to trim a string. Take the case COMPUTERNAME$ and wanting everything but “$” (though if you don’t need your $ I would be glad to have it….just saying). In this case select the indexOf variable and set the first dropdown to the field you are looking to trim. Then set the second dropdown to string and throw in a “$”. The result will be dynamically updated for each event. Now you can use the Substring variable. Select your field. In the first dropdown asking for the start select Integer and put in 0 (start on the far left). In the end with dropdown select the indexOf variable you just created. Done. Conversely if you wanted to strip out a computer or user name where the format in the field is domain\username you would put the field in the first box and then the string “\” in the second. This time you will need to create a variable just after this one to add 1 to the indexOf variable. Now create your substring variable with a start of the variable where you added 1 and an end of -1 (end of the string). So to parse out “domain\username” your variable set would be

indexOf “ \ ” results in 7
varAdd1 = 8
Substring varAdd1 to -1 = “username”

To parse out something like customString4 when an item falls off an active list takes a few more steps as each field in the AL will be separated by a pipe “ | ”. In this case you would do indexOf “ | “, add 1, substring to end of string. Rinse and repeat until you get a Substring for the field(s) you are looking for.

Oh in 4.5 they introduced the variable lastIndexOf which is nice if you need the last bit of a string….like that suspect exe, jpg, pdf coming from a suspect site your user went to and you are throwing in a Trend…

Good grief, I wrote a book.
Posted by at
Labels: ,

2 comments:

  1. UnknownAugust 2, 2010 at 12:36 PM

    The variable game changes yet again in 5.0 with the availability of global variables. So, in some cases (i.e. parsing DCS4) you can assign the original data to a global variable and then reference in other rules instead of passing aggregated fields to variables and changing field type to string for comparison, etc...

    ReplyDelete
  2. MarkAugust 3, 2010 at 4:32 PM

    I am looking forward to global variables and the flexibility they will provide. Of course that means I need to get off my butt and upgrade.

    Mark

    PS "Yeah Buddy!"

    ReplyDelete

Subscribe to: Post Comments (Atom)