NetWitness Community

PavelIusco · ‎2019-07-25

I have a set of events, each with multiple instances of the same meta key "action" with three unique and a number of same values. Is there a way to alert when one such event has a number of same values greater than x?

Example, in a FTP session action key contains all the actions in the ftp session and i want to alert if PWD is given twice.

JoshRandall · ‎2019-07-29

Apologies, but my previous post here was incorrect, and will not work for the use case as you described it.

What I posted would apply when evaluating whether action=’pwd’ across 2 events, not for evaluating whether action=’pwd’ 2 or more times within a single event.

There may be less complex solutions, but the following Advanced EPL Rule is working in my lab against events where there are 2 or more action=’pwd’ metas:

module multiplePwdAction;

//create the data window
@RSAPersist(serialization=Serialization.JSON)
CREATE WINDOW pwdCount.win:length(1) (PwdCount integer, SessionId long);

//count # when action='pwd', add that # to data window, and add the corresponding sessionid
INSERT INTO pwdCount
SELECT
	action.toArray().countOf(i => cast(i,string).toLowerCase() IN ( 'pwd' ) ) as PwdCount,
	sessionid as SessionId
	FROM Event(
	medium IN ( 1 ) AND service IN ( 21 ) AND action IS NOT NULL
	);

//fire the alert
@RSAAlert
SELECT * FROM Event(
	medium IN ( 1 ) AND service IN ( 21 ) AND action IS NOT NULL
	).win:length(1), pwdCount
	WHERE Event.sessionid = pwdCount.SessionId
	AND pwdCount.PwdCount >= 2;‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Let me know if you have any questions about this, or if you run into any problems when deploying and/or testing it.

Mr. Mongo

View solution in original post

JoshRandall · ‎2019-07-26

I believe something like this should work:

Mr. Mongo

JoshRandall · ‎2019-07-29

Apologies, but my previous post here was incorrect, and will not work for the use case as you described it.

What I posted would apply when evaluating whether action=’pwd’ across 2 events, not for evaluating whether action=’pwd’ 2 or more times within a single event.

There may be less complex solutions, but the following Advanced EPL Rule is working in my lab against events where there are 2 or more action=’pwd’ metas:

module multiplePwdAction;

//create the data window
@RSAPersist(serialization=Serialization.JSON)
CREATE WINDOW pwdCount.win:length(1) (PwdCount integer, SessionId long);

//count # when action='pwd', add that # to data window, and add the corresponding sessionid
INSERT INTO pwdCount
SELECT
	action.toArray().countOf(i => cast(i,string).toLowerCase() IN ( 'pwd' ) ) as PwdCount,
	sessionid as SessionId
	FROM Event(
	medium IN ( 1 ) AND service IN ( 21 ) AND action IS NOT NULL
	);

//fire the alert
@RSAAlert
SELECT * FROM Event(
	medium IN ( 1 ) AND service IN ( 21 ) AND action IS NOT NULL
	).win:length(1), pwdCount
	WHERE Event.sessionid = pwdCount.SessionId
	AND pwdCount.PwdCount >= 2;‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Let me know if you have any questions about this, or if you run into any problems when deploying and/or testing it.

Mr. Mongo

PavelIusco · ‎2019-07-30

Thank you, I tought i might be able to do this with an app rule or correlation rule. I also tought that ESA would be the way to do it but your solution is prettier than mine.

NetWitness Community

Alerting on meta instances