NetWitness Community

Anonymous · ‎2018-07-17

I am attempting to get this alert working to detect when a client sites VLC stops sending logs or something wrong just happens.

The rule is similar to the no log traffic found from device. I have the time set very low currently for testing but the alert never seems to want to populate. I am clearly doing something wrong or lc_cid is not actually passed to ESA.

/*
Version: 3
*/

module logcollectordown;

@Name('logcollectordown')
@RSAAlert(oneInSeconds=0)

SELECT * FROM pattern
[every a = Event(
(lc_cid.toLowerCase() IN ('devicename')) and medium = 32)
-> (timer:interval(60 seconds) and not Event((lc_cid.toLowerCase() = a.lc_cid.toLowerCase()) and medium = 32))];

NaushadKasu1 · ‎2018-07-17

Check the ESA schemes under Settings of ESA and validate you are seeing the meta key.

Sent from my iPhone

Anonymous · ‎2018-07-17

I do see lc_cid there, I also checked other ESA alerts that are firing and the lc_cid is in the json response when looking from the respond interface.

Anonymous · ‎2018-07-17

I have modified the alert a bit. So far it is not working however in netwitness. But it does work on EsperTech Esper EPL Online

SELECT * FROM pattern
[every a = Event((lc_cid in ('logcollectorname')))
-> (timer:interval(120 seconds) and not Event((lc_cid = a.lc_cid )))];

Anonymous · ‎2018-07-17

Apparently I had some issues with the authentication file on the backend of ESA. Had to redo all systems as sources and it was able to work.

NetWitness Community

ESA Rule not working