This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Creating alerts across multiple log events

J_Kerwin
Contributor
Contributor

‎2024-09-02 07:30 PM

I'm trying to create an alert for an email DLP Event where I want to alert when a rule is matched and then the email is allowed vs blocked.

 

The issue I'm facing is I don't know how to alert when the events that I want to alert (is rule matched and was it allowed) are recorded across different log events 

 

For example

Event 1 - Email rule matched

Event 2 - Email action allows

 

Each of these events occur across different log entries when in the investigate module, but I don't know how to create an alert that traverses these multiple events. 

 

 

 

Labels:
0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2024-09-19 06:30 PM

@J_Kerwin Given you are looking to alert across multiple events, thus across different times, you would need to create a correlation rule within the Event Stream Analysis server. This way you can say in the rule start paying attention when Event 1 matches, watch over the course of say 5 minutes for Event 2 to happen for the same event source, then fire an alert.

 

You may be able to use the ESA rule wizard to write the rule. I'm not sure as I'm not as familiar with writing ESA rules as I am with Reporting Engine rules. If the rule is more complex than the wizard can produce, you would need to know how to write ESA rules in ESPER.

 

Here is some documentation around ESA Rule alerting: https://community.netwitness.com/t5/netwitness-platform-online/alerting-with-esa-correlation-rules/ta-p/669493

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.