This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Rule Builder - 'Occurs' count quirks

Go to solution
VishamRawat
Beginner
Beginner

‎2018-10-11 09:34 AM

Okay, I'm not sure if anybody else has noticed or experienced this - but the 'Occurs' count for an RSA SA ESA rule has a limit of 100!

Is this true?

 

I've set the 'Occurs' to count 150/200/500 events, but the alert is always generated on 100 events. Is this a known quirk, or something unknown or unique to my environment, for some reason?

 

If I go below 100, to about 90 - it works proper, counting only 90 occurrences.

 

Let me know if anybody's experienced this, or if it has a workaround.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2018-10-11 09:45 AM

Hi Visham,

 

You see only 100 events in a triggered alert is because of the limit configured in Admin->Services->ESA(service)->Config->Advanced->Max constituent events.

 

"For rules that contain multiple events, this configuration value determines how many of the associated events are preserved. For example, if a rule fires an alert with 200 associated events and this parameter is set to 100, only the first 100 are preserved by ESA, the rest are dropped. The default value is 100".

 

I would not suggest to increase this count because all the 100 events ( Or whatever you configure) will be preserved in database & it does not get much useful as your alert fired says that your defined condition has matched. And i think 100 events in alert view are already Proof enough.

 

Hope it helps.

Thanks
Mohammed Mustafa

View solution in original post

3 REPLIES 3

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2018-10-11 09:45 AM

Hi Visham,

 

You see only 100 events in a triggered alert is because of the limit configured in Admin->Services->ESA(service)->Config->Advanced->Max constituent events.

 

"For rules that contain multiple events, this configuration value determines how many of the associated events are preserved. For example, if a rule fires an alert with 200 associated events and this parameter is set to 100, only the first 100 are preserved by ESA, the rest are dropped. The default value is 100".

 

I would not suggest to increase this count because all the 100 events ( Or whatever you configure) will be preserved in database & it does not get much useful as your alert fired says that your defined condition has matched. And i think 100 events in alert view are already Proof enough.

 

Hope it helps.

Thanks
Mohammed Mustafa

Go to solution
VishamRawat
Beginner
Beginner
In response to MohammedMustafa

‎2018-10-11 10:36 AM

Hi Mohammed,

 

Thanks for that info. Makes sense.

Quick question though - while only the first 100 are preserved, all 200 are counted for the match right?

0 Likes

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to VishamRawat

‎2018-10-11 12:34 PM

Hi Visham,

 

Yes, all 200 will be counted for Match.

Thanks
Mohammed Mustafa
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.