This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Alert Filtered on Action Meta Key

Go to solution
HaniBouHaidar
Beginner
Beginner

‎2016-01-25 03:39 PM

Dears,

 

I intend to create an alert in ESA in which the statement condition is based on action meta.

what I'm looking for is to get this alert triggered for this event:

 

Given a specific device type and whenever a user initiate an action statement like:

 

action meta: select * from tablespace

 

given that action key is by default of type array.

How can I achieve this condition in ESA given if I use the reporting engine I also cannot rely on contains for this statement.

 

your counsel is highly appreciated.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to HaniBouHaidar

‎2016-01-28 08:44 AM

The syntax to use within the ESA is exactly as specified above:

 

SELECT * FROM Event WHERE action.anyOf(i => i.contains("This is your value to query"))

 

The above searches the action array for the value you choose. You would have to create an advanced ESA rule for this though as we are writing the EPL ourselves.

 

The "Event" is basically the stream name in which all metadata from the Concentrator's is pushed through, that's why we are specifying "SELECT * FROM Event" as we want to query everything.

 

Try searching the SA documentation website for further information:

 

 

There is also an Esper reference guide available here:

 

 

Under the hood of the ESA, it is using Esper which utilises a language called EPL. This reference guide may assist with a deeper understanding of this.

View solution in original post

0 Likes
16 REPLIES 16

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2016-01-26 08:56 AM

Hey Hani,

 

When working with arrays in Esper the syntax is a little complex. If you're looking to perform a contains operation against all of the values in the array, the below will work:

 

SELECT * FROM Event WHERE action.anyOf(i => i.contains("select * from tablespace"))

 

But remember, ESA is case sensitive so may be worth while adding the string method "toLowerCase" to make everything lower for matching like so:

 

SELECT * FROM Event WHERE action.anyOf(i => i.toLowerCase().contains("select * from tablespace"))

 

Cheers,

Lee

Go to solution
HaniBouHaidar
Beginner
Beginner
In response to LeeKirkpatrick

‎2016-01-26 01:08 PM

Hey Lee,

 

Thanks for your reply.

 

Can you provide the syntax to get this into a netwitness rule like:

I need to get data where device.type='XYZ' && action contains a select statement on 'Audit tablespace'

 

Regards

0 Likes

Go to solution
HaniBouHaidar
Beginner
Beginner
In response to HaniBouHaidar

‎2016-01-26 01:12 PM

or it might be any statement applied on Audit tablespace (select, insert) as long the action meta key contains Audit value.

how to achieve this in Netwitness and ESA for alerting purposes.

 

Thanks

0 Likes

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to HaniBouHaidar

‎2016-01-26 02:53 PM

Within the NetWitness Database (NWDB) you have the "contains" operator available for you to use:

 

device.type='XYZ' && action contains 'insert' || action contains 'select'

 

You can tack on any number of conditions you need.

0 Likes

Go to solution
HaniBouHaidar
Beginner
Beginner
In response to LeeKirkpatrick

‎2016-01-26 03:22 PM

Yeh

this is working for me.

However this issue I'm facing lies in the fact that I want to filter those logs that contain specific field in the action meta key like 'table called 'audit' or 'xyz' wherein my action key has meta value like:

 

select * from ..., update from ..., insert to ...

 

how can I get the contain to work with such complex statement to get a tack on the desired value.

I tried this in Netwitness to no success and even in ESA the action meta key is of type array and is not getting desired output too.

0 Likes

Go to solution
HaniBouHaidar
Beginner
Beginner
In response to LeeKirkpatrick

‎2016-01-27 12:40 PM

How can I use this in the Netwitess or ESA rule in which field I need to insert it:

 

SELECT * FROM Event WHERE action.anyOf(i => i.contains("select * from tablespace"))

 

and what does Event refer to.

0 Likes

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to HaniBouHaidar

‎2016-01-28 08:44 AM

The syntax to use within the ESA is exactly as specified above:

 

SELECT * FROM Event WHERE action.anyOf(i => i.contains("This is your value to query"))

 

The above searches the action array for the value you choose. You would have to create an advanced ESA rule for this though as we are writing the EPL ourselves.

 

The "Event" is basically the stream name in which all metadata from the Concentrator's is pushed through, that's why we are specifying "SELECT * FROM Event" as we want to query everything.

 

Try searching the SA documentation website for further information:

 

 

There is also an Esper reference guide available here:

 

 

Under the hood of the ESA, it is using Esper which utilises a language called EPL. This reference guide may assist with a deeper understanding of this.

0 Likes

Go to solution
DavidWaugh1
Employee
Employee

‎2016-01-29 04:40 AM

There is also some great training on ESA and ESPER available through the education web site.

 

You need to create an EMC Education Account, which I have explained in the attached instructions.

 

The courses that may be of interest are:

CourseCourse Code
RSA Security Analytics Introduction to ESA   RSA ED SA INTROESA410
RSA Security Analytics ESA EPL RulesRSA ED SA EPLRLS410
Troubleshooting Security Analytics ESA RulesRSA ED SA TRBLSHTGESA410

              

                      

 

I found these courses very useful.

Preview file
572 KB
Preview file
203 KB

Go to solution
HaniBouHaidar
Beginner
Beginner
In response to DavidWaugh1

‎2016-01-29 05:18 AM

Thanks man

 

I will check it out (I already have an EMC account) but I suppose these are paid E-learning courses?

Can you share some free documentation or videos it would be much appreciated?

 

Regards,

HANI

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.