This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Rules based on the output of other rules

Anonymous
Not applicable

‎2014-09-22 03:19 PM

Hi all,

our company is trying to take advantage of the new analytics capabilities offered by the 10.4 and the live content. We are developing ESA rules to detect threats based on their category.

 

For example a windows malware category alert needs to fire only if another ESA rules already fired (some sort of prerequisite). Is there a way to reference the "output" of a rule from within another rule, without copying all the content inside a single element?

 

Let me know if you already found other ways around this kind of problems.

0 Likes
1 REPLY 1

AnkushBaveja
Contributor
Contributor

‎2014-09-23 12:45 AM

Good question,

 

Haven't tried it but one way can be -:

  • Ouput Rule 1 results to a named window using "insert into" clause
  • Refer named window in your rule 2 using a "nested select" to check rule 1 results

 

Basically named windows can be used as temporary tables, watchlist etc...

 

Here is some information from Esper site about what named windows are-:

EPL provides the concept of named window. Named windows are data windows that can be inserted-into and deleted-from by one or more statements, and that can queried by one or more statements. Named windows have a global character, being visible and shared across an engine instance beyond a single statement. Use the CREATE WINDOW clause to create named windows. Use the ON MERGE clause to atomically merge events into named window state, theINSERT INTO clause to insert data into a named window, the ON DELETE clause to remove events from a named window, the ON UPDATE clause to update events held by a named window and the ON SELECT clause to perform a query triggered by a pattern or arriving event on a named window. Finally, the name of the named window can occur in a statement's FROM clause to query a named window or include the named window in a join or subquery.

 

More details here-:

Chapter 5. EPL Reference: Clauses

 

Note-: there might be other ways as well to do the same thing.

 

- AB

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.