NetWitness Community

Anonymous · ‎2019-11-24

Sorry for such a simple questioni

I had a simple ESA rule that was working prior to upgrading to 11.3.1.1. but now it's not triggering anymore and gives an error about in incorrect use of an OR clause or something to that effect

The rule basically goes.

If alert contains 'panda' OR 'bear' OR 'spider' AND IP address is not 128.0.0.1 then generate an alert and notify by email.

Rather than trying to troubleshoot the old rule, I'm happy to just create a new, working one. Could someone help me in how this would look in the rule builder?

Thanks.

DaveGlover · ‎2019-11-25

Jeremy

You could do something like the following:

I added in your ip after this screen shot was taken

Which would then result in a rule that looks like this in the syntax

Hope that helps

Dave

Anonymous · ‎2019-11-25

Thanks Dave,

It's still not triggering on my end. The sample you gave, does that mean that the alert has to be exactly what's in the rule (ie. panda, bear)?

What I'm after if the alert contains those strings, like the alert is 'fancybear'.

Anonymous · ‎2019-11-25

Ahh, Looks like there is an actual problem with my ESA server, it's not triggering any alerts on even the simplest rules.

I've logged a called with RSA support

JamesMoon · ‎2019-11-26

In case others find it helpful, the issue was due to the current version(11.3.x) not supporting the use of Meta Entities(RSA NetWitness® Suite Unified Data Model Meta Entities) in ESA rules. There is an RFE, ASOC-60958, to support this but without a confirmed target version at present.

Also, to match any values containing 'bear', an advanced EPL is required with a condition like below.

(isOneOfIgnoreCase(alert,{ '%bear%' , 'panda' }))

(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%bear%')
OR
(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%panda%')

Thanks to Josh Randall for providing the syntax.

Regards,
James

NetWitness Community

Creating a simple ESA rule