Customer report of issues with the Saved Query provided within the kit.
the corelight kit saved search Invalid SSL certificatestag=corelight_ssl ax last_alert!="-" | alias "id.orig_h" client "id.resp_h" server last_alert alert | table client server server_name alert established has 2 issues:
(1) The query name is a misnomer. I think the query is supposed to search for SSL alerts, the result table in the x509 Dashboard calls it Failed SSL Negotiations
(2) The query does not work as intended. It looks for last_alert!="-", but there is no such thing. There are empty last_alert fields if there is no alert, but changing "-" to "" does not work either. When using eval last_alert!="" it works, but I guess that is slow.
Customer report of issues with the Saved Query provided within the kit.
the corelight kit saved search Invalid SSL certificates
tag=corelight_ssl ax last_alert!="-" | alias "id.orig_h" client "id.resp_h" server last_alert alert | table client server server_name alert establishedhas 2 issues:(1) The query name is a misnomer. I think the query is supposed to search for SSL alerts, the result table in the x509 Dashboard calls it Failed SSL Negotiations
(2) The query does not work as intended. It looks for
last_alert!="-", but there is no such thing. There are empty last_alert fields if there is no alert, but changing "-" to "" does not work either. When usingeval last_alert!=""it works, but I guess that is slow.