This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Esa Time Netwitness 11.3

LucaBernabei
Contributor
Contributor

‎2020-04-24 06:07 AM

Hello,

before Netwitness 11.3, we were using the meta "esa.time" in some correlation rules with Esper Date-Time Methods.

After upgrading to version 11.3+ we noticed that the "esa.time" does no longer exists and of course our old rules were no longer deployed.

Is this meta deprecated or replaced with something else?

Thanks

 

Luca

0 Likes
1 REPLY 1

RohitUnnikrishn
Beginner
Beginner

‎2020-05-05 10:15 AM

Hello Luca,

 

I would like to understand your usage of the meta "esa.time" within your rules before recommending anything, but the way we define various timestamps wrt the meta are as follows -

  1. The meta "esa.time" is used to refer the time when ESA analyzed the event.
  2. The meta "event.time" is the time when the event actually occurred, ie, timestamp in log.
  3. The meta "time" is when the decoder captured it.

If you would like to use actual event time, you should set your "timeFieldMeta" to "time" or "event.time" whichever you prefer based on the rules. If you didn't, then use-event-time would be set to false, whereby it uses ESA aggregation time "esa.time" for analysis.

 

Hope this helps.

 

Thanks.

Rohit

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.