This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Alert: EPL rule followed by another rule?

MiguelAlvarez
New Contributor
New Contributor

‎2017-05-04 10:30 AM

Hi everyone,

I need help with one advanced EPL rule.

I'm trying to do a condition followed by another condition, but my problem is that my first condition has a group by and a having count in the condition... How can I concatenate rules?

For example:

 

event.x = "something" && device.type = "smdevice"

group by alias.host

HAVING COUNT (7,10)

 

"and now I need to do next rule (followed by)"

 

(device.type = "smdevice" && event.x = "somethingdiferent")

group by alias.host

 

 

 

Thanks

mailto:securityoperations@tsb.co.uk
0 Likes
1 REPLY 1

VolodymyrRozhni
Beginner
Beginner

‎2017-05-09 08:26 AM

I guess you can try to use pattern rule

something like:

 

@RSAAlert
SELECT * FROM PATTERN @SuppressOverlappingMatches
[
    EVERY
          /*  10 events  */
    [10] a=Event (event.x = "something" && device.type = "smdevice")
    ->
    (
        /*  Folowed by event */
        b=Event  (device.type = "smdevice" && event.x = "somethingdiferent")
    )
    /*within 5 min*/
    WHERE timer:within(300 seconds)
];

 

 

But keep in mind, this one is pretty expensive from memory perspective.

More details Chapter 7. EPL Reference: Patterns 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.