2016-01-25 03:39 PM
Dears,
I intend to create an alert in ESA in which the statement condition is based on action meta.
what I'm looking for is to get this alert triggered for this event:
Given a specific device type and whenever a user initiate an action statement like:
action meta: select * from tablespace
given that action key is by default of type array.
How can I achieve this condition in ESA given if I use the reporting engine I also cannot rely on contains for this statement.
your counsel is highly appreciated.
2016-01-29 05:20 AM
Thanks Lee
This needs to be implemented in an advanced ESA rule right?
is it possible to make it in basic ESA rule or Netwitness alert just to get going until I'm properly versed in EPL.
Regards,
2016-01-31 09:26 AM
Dear Lee.
I believe this command is to be used in an advanced ESA rule:
SELECT * FROM Event WHERE action.anyOf(i => i.contains("This is your value to query"))
Can you provide something similar to use in a basic ESA rule and in Netwitness/Warehouse rule for SA 10.4.
Thanks
2016-02-01 11:53 AM
Hey Hani,
For a contains search against the array fields you can only use advanced EPL at the moment, the basic rule builder won't work for this, yet.
If you want to perform a contains search within NetWitness, you can just utilise the contains operator:
alias.host contains 'your value'
For the warehouse where clause:
array_contains(alias_host, 'your value')
Cheers,
Lee
2016-05-04 03:55 AM
Hi Lee,
SELECT * FROM Event WHERE action.anyOf(i => i.toLowerCase().contains("monitor") and device_type IN ('ciscosecureacs'))
I create rule with the above statement, but it is not working and found a error log in ESA as below
"Expected array-type input from property 'action' but received class java.util.Vector"
Thanks
Owen
2016-05-04 09:26 AM
Hi Hani,
Those eLearning courses should all be free now.
You can find them here: Security Analytics Training
Thanks,
Jeff
2016-05-06 07:08 AM
Hey Owen,
Apologies for the delay. I'll have to perform some testing in my lab and get back to you.
Cheers,
Lee
2016-05-06 07:36 AM
Hi Lee, I think this question was also asked under RSA SA ESA advanced rule contains operator where I tried it out in the ESPER Try Out page.