This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Rule Creation

Sachin
Contributor
Contributor

‎2021-03-05 12:16 AM - edited ‎2021-03-05 12:26 AM

ESA question :

I have 2 events coming in  - 2 events are from different device type with different contents. both arriving within say 5-10 Minutes.
I need to create a rule that matches 5-10 minutes previous event from one device type with the real time event coming from other device type.

Any suggestions will be  helpful, Thanks in advance!

Labels:
0 Likes
2 REPLIES 2

AhmadJabr1
New Contributor
New Contributor

‎2021-03-07 05:57 AM

you can set the time in the rule for 15 min or more, and then set the first rule and use "followed by" the second rule,

 

but this could affect the Memory on the ESA server

 

0 Likes

lukaszczerwonka
Occasional Contributor
Occasional Contributor

‎2021-03-08 07:19 AM

You can try with 'create window' in Advanced EPL

https://community.rsa.com/t5/rsa-netwitness-platform-online/alerting-example-advanced-epl-rules/ta-p/568964

BR Lukasz Czerwonka, Mediarecovery
© 2022 RSA Security LLC or its affiliates. All rights reserved.