NetWitness Community

drewjc · ‎2018-03-27

The following EPL syntax never alerts in NetWitness Packets despite passing tests in the EPSER Tech website. I am also able to confirm that valid domains fitting the alert criteria are seen by our NetWitness Packets system. Additionally, replacing the regular expression with an overly broad one (i.e. '[a-z0-9]+') creates tons of alerts

The alert syntax is looking for long domains broken up by underscores.

SELECT * FROM Event(
( service IN ( 53 ) )
AND
alias_host.anyOf(a=> a regexp '([a-z0-9]+\_){3,}.*')
);

Any suggestions or ideas as to what could be wrong?

JoshRandall · ‎2018-03-27

If you're on version 10.6.4 or newer, you can try the matchRegex function (example #7 here: Alerting: Sample Advanced EPL Rules😞

SELECT * FROM Event(
( service IN ( 53 ) )
AND
(matchRegex(alias_host, "([a-z0-9]+\_){3,}.*") ) )
);

Mr. Mongo

View solution in original post

JoshRandall · ‎2018-03-27

If you're on version 10.6.4 or newer, you can try the matchRegex function (example #7 here: Alerting: Sample Advanced EPL Rules😞

SELECT * FROM Event(
( service IN ( 53 ) )
AND
(matchRegex(alias_host, "([a-z0-9]+\_){3,}.*") ) )
);

Mr. Mongo

drewjc · ‎2018-03-27

Thank you Joshua. I am working in that version and your suggestion worked perfectly.

NetWitness Community

ESA EPL Syntax for String Array with REGEXP