NetWitness Community

RSAAdmin · ‎2015-01-28

I know report engine rule has list option or watchlist option to use in report engine where statement. What is the name called in ESA 10.4? Does it exists?

LeeKirkpatrick · ‎2015-02-03

How large is the list that you want to use?

You could look into using a Feed on the Decoder to generate a piece of Meta that you reference in your ESA rules.

Or you could look into declaring an array variable within the EPL itself:

create variable string[] mylist =

{

'Peter',

'Lee',

'Julie',

'George'

};

SELECT * FROM Event(user_dst IS ANY(mylist));

drewjc · ‎2018-06-08

How would this work for IP addresses? I tried the following which didn't work at all.

create variable string[] iplist =

{

'10.0.0.1',

'10.0.0.2',

'10.0.0.3',

'10.0.0.4'

};

SELECT * FROM Event(ip_dst IS ANY(iplist));

LeeKirkpatrick · ‎2018-06-11

Hi Drew,

IP addresses in Esper are also strings, so what you have is good. To have the condition trigger and display an alert. You need to add the @RSAAlert annotation above that statement. Using your example above:

create variable string[] iplist =

{

'10.0.0.1',

'10.0.0.2',

'10.0.0.3',

'10.0.0.4'

};

@RSAAlert

SELECT * FROM Event(ip_dst IS ANY(iplist));

Cheers,

Lee

drewjc · ‎2018-06-11

Thanks Lee. That worked well.

I tested further, and even though I had the @RSAAlert reference, it wouldn't work if it preceded the CREATE VARIABLE statement. Only when I moved it down would it work.

NetWitness Community

ESA 10.4 - What is the watchlist or list called in ESA?