2018-10-09 05:41 PM
Looking for some help with an EPL rule.
The goal is to detect when a single client requests more than 275 unique A records for hosts in my AD domain within 5 minutes. The custom meta key dns_qtype is populated by an app rule that acts on logs produced by our name servers.
@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
)
This expression matches all of the events (DNS A record queries for domain.local). What I don't know is how to achieve the threshold and grouping by source IP with only unique alias_host values (ie what combination of views is required). Note that alias_host is an array as well - I'm not sure if that changes the behavior of std:unique.
I've tried this a few different ways and none of them have worked - would appreciate some assistance.
2018-10-10 10:06 AM
Hi Craig,
Try this out. I tested it with some log sample at my end.
@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
).std:groupwin(ip_src).win:time_length_batch(5 minutes, 275).std:unique(alias_host)
group by ip_src
having count(*) = 275
;
2018-10-10 10:06 AM
Hi Craig,
Try this out. I tested it with some log sample at my end.
@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
).std:groupwin(ip_src).win:time_length_batch(5 minutes, 275).std:unique(alias_host)
group by ip_src
having count(*) = 275
;
2018-10-10 10:11 AM
I would also suggest not to keep higher time lengths, because ESA will be storing 275 events in memory for that entire time frame & it will affect the ESA memory.
2018-10-10 01:06 PM
Thanks Mohammed - this worked exactly as expected. I can see that the rule is using about 13 MB of RAM on our ESA appliance as configured - that would get out of hand quick with a longer window.
2018-10-11 03:36 AM
Hi Craig,
In cases where you see alerts utilizing lot of memory it is recommended to write the Alerts using Named window technique.
In this link 'https://community.rsa.com/docs/DOC-80032' there is an example for it 'EPL #4: Using NamedWindows and match recognize' have a check.
Named Windows doesn't store entire events in memory, only the meta value that you are filtering.
2018-10-17 01:14 PM
Thanks again, Mohammed - unfortunately I can't make sense of how I would apply that NamdedWindows example to my use case. Could you point me to better documentation, or help me understand how that would work with the example I posted above?