This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Rule

RogerFeagin
Beginner
Beginner

‎2019-08-08 10:19 AM

How can I write a rule w/reference ID 4741 FOLLOWED BY reference ID 5139? 

0 Likes
1 REPLY 1

ShaneQuintard1
Beginner
Beginner

‎2019-08-08 05:09 PM

Hi Roger-

 

I was able to complete this in the Rule Builder section of the UI. I have posted screen shots below for comparison. Please note this was built in 11.3.1.

 

Access your rule library (Configure > ESA Rules > Rule Library) and add a new rule ('+' icon, click on Rule Builder).

 

Give your rule a pertinent name

 

Keep Trial Rule selected - RSA best practice

 

In your Conditions, create two statements:

Statement 1: I set the name as Event ID 4741 (use whatever you want), select if all conditions are met and enter the following for your meta conditions: reference_id is 4741, add a second meta condition and enter ec_outcome is Success, click Save

pastedImage_1.png

Statement 2: I set the name as Event ID 5139 (again, use whatever you want), select if all conditions are met and enter the following for your meta condition: reference_id is 5139, click Save. I did not add an ec_outcome (event outcome) to the second statement as the alert would then only fire when there was a successful computer account created followed by a successful object move. You may want to consider this based on your environment. 

pastedImage_2.png

 

Once you are back in the main Rule Builder screen, on the first statement, there is a heading labeled Connector. Click in the box and select followed by

 

New options will appear below your Conditions. You'll have a Group By and Occurs Within. For purposes of building this, I grouped by the first meta condition of reference_id and then set a time window of minutes, however, this value is subject to what makes sense for your environment. In the Event Sequence, I set the value to Strict.

 

(Completed Rule)

 

pastedImage_3.png

 

Once this is complete, click on Show Syntax - this will let you know if there are any errors in the rule being built.

 

pastedImage_4.png

 

This is the syntax for the rule that I just created:

 

/*
This basic template is a placeholder for defining basic EPL content that can be
installed and executed in ESA. The sample below is the minimum that would be
required to get started.

Version: 5
*/


/*
Module debug section. If this is empty then debugging is off.
*/

/* EPL section. If there is no text here it means there were no statements. */

module Module_5d4c8873e4b07de398f298bc;



@Name('Module_5d4c8873e4b07de398f298bc_Alert')
@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(
/* Statement: Event ID 4741 */
(reference_id IN ( '4741' ) AND ec_outcome IN ( 'Success' ))
OR
/* Statement: Event ID 5139 */
(reference_id IN ( '5139' ))

).win:time(5 Minutes)
MATCH_RECOGNIZE (
PARTITION BY reference_id
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1 E2)
DEFINE
E1 as (E1.reference_id IN ( '4741' ) AND E1.ec_outcome IN ( 'Success' )),
E2 as (E2.reference_id IN ( '5139' ))
);

 

Lastly, you can configure notifications for the alert outside of any incident rules which may already cover Windows Event alerts. You have four notification options - Email, SNMP, Syslog and a Script. You would need to have these already configured under Admin > System > Global Notifications

 

Once you are done, click Save and you're ready to deploy the rule to your ESA! This will give you a place to start and can follow up with any tuning as the alerts start firing. 

 

Let us know if you have any questions!

 

Thanks,

 

Shane Quintard

Sales Engineer - NetWitness

© 2022 RSA Security LLC or its affiliates. All rights reserved.