NetWitness Community

MohdSaadKhan · ‎2016-10-20

I have created an alert for a event in that it will create a window of 30 mins and grab my required events and output only unique/distinct meta but I am getting duplicate meta (duplicate device ip) despite of putting required condition;

SELECT distinct * FROM Event(
/* Statement: Virus Detected on system and Left alone */
(device_type IN ( 'symantecav' ) AND ( 'Left alone' = ANY( action ) ))
).win:time(30 min)

and also tried this as I want unique and distinct device.ip from a pool of 30 mins;

SELECT * FROM Event(
/* Statement: Virus Detected on system and Left alone */
(device_type IN ( 'symantecav' ) AND ( 'Left alone' = ANY( action ) ))
).std:unique(device_ip).win:time(30 min)

Can anyone correct this issue?

LeeKirkpatrick · ‎2016-10-25

Hi Mohd,

This should work as expected:-

@Name('Create Window')

Create window virus.std:unique(device_ip).win:time(20 min) (device_ip string);

@Name('Insert into Window')
INSERT INTO virus
SELECT device_ip FROM Event(device_ip IS NOT NULL AND device_type = 'symantec' and action.anyOf(i => i.toLowerCase().contains('left alone')));

@Name('Alert')

@RSAAlert
SELECT * FROM virus
GROUP BY device_ip
OUTPUT LAST EVERY 20 min

Cheers,

Lee

RaviKrishnanand · ‎2016-10-26

Hi Lee,

This is really helpful & works. Based on the threshold, the alert notification would be delayed for 15 mins(as per our example), Is there a way I can avoid that too?..

I tried with OUTPUT FIRST command @RSAAlert but it's not working as expected. Thanks!!

LeeKirkpatrick · ‎2016-10-26

Hey Ravi,

The notifications get triggered when the alert fires, it does this so we can group the necessary information.

The OUTPUT FIRST syntax is used to output the first event that matched the criteria after the time period has been reached - which in this case is 15 minutes.

If you wanted to be notified when you first see an event and then suppress similar matches, you could do the following:-

@RSAAlert

SELECT * FROM Event(user_dst IS NOT NULL)
GROUP BY user_dst
OUTPUT FIRST every 15 minutes

This would alert everytime a user_dst value is seen, and then suppress for 15 minutes on any user_dst values that are the same; this could be used as well as the previous EPL example like so:-

// Alert when we see a user and then suppress for 15 minutes on same users

@RSAAlert

SELECT * FROM Event(user_dst IS NOT NULL)
GROUP BY user_dst
OUTPUT FIRST every 15 minutes;

// Group the users and alert after 15 minutes
INSERT INTO AlertStream
SELECT window(*) FROM Event(user_dst IS NOT NULL).std:groupwin(user_dst).win:time_batch(15 min) GROUP BY user_dst HAVING COUNT(*) >= 1;

@RSAAlert

SELECT * FROM AlertStream

Cheers,

Lee

RaviKrishnanand · ‎2016-10-27

Hi Lee,

Sorry if I wasn't clear on my questions. I don't want to suppress any alerts, my concern is only about the alert notification. I thought "OUTPUT LAST/FIRST" commands would control the notification.

I don't want to see a delay between event time & Alerting time, Is there a way to send notification when alert find the first match?..I believe it's not possible as we are doing the aggregation for 15 minutes but still want to get a confirmation from you.

Thanks again for your time!!

LeeKirkpatrick · ‎2016-10-27

Hey Ravi,

If you are aggregating the information you will have to wait until the window closes for an alert.

Cheers,

Lee

MohdSaadKhan · ‎2016-11-03

Hi Lee,

I have deployed the same, though the events are coming but alerts are not triggering up.

NetWitness Community

Alert for Unique and distinct meta.