This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Grouping events in an ESA to only send 1 email notification

Go to solution
Anonymous
Not applicable

‎2023-10-31 11:16 PM

I have configured the esa alert below to trigger when our Palo Alto Firewalls detect a network scan attempt.

 

The issue is, if say I run a nmap scan, the Palo Alto will generate at least 4 events which results in 4 emails being sent. 

I'd prefer to only have 1 email so I'd like to group the events together say over a 30 second window and then send the alert after that 30 second period. 

 

There may be times when the palo alto generates multiple events so I can't always be sure how many events will be generated hence why I want to alert after that 30 second window.

 

 

SELECT * FROM Event(
/* Statement: Palo Alto Recon Detection */
(device_type IN ( 'paloaltonetworks' ) AND ec_theme IN ( 'tev' ) AND policy_name.toLowerCase() LIKE '%scan%')

Labels:
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
EduCarbonell
Contributor Contributor
Contributor

‎2023-11-09 07:11 AM - edited ‎2023-11-09 07:12 AM

Another option is to use EPL time window to trigger 1 alert every X time, and combine it with the oneInSeconds syntax, for example:

@RSAAlert(oneInSeconds=60, identifiers={"ip_src"})
@Hint('reclaim_group_aged=120')
SELECT * FROM Event(
    /* Statement: Palo Alto Recon Detection */
    device_type IN ( 'paloaltonetworks' )
    AND ec_theme IN ( 'tev' )
    AND policy_name.toLowerCase() LIKE '%scan%'
).std:groupwin(ip_src)
.win:time(60 seconds)
GROUP BY ip_src
HAVING COUNT(*) >= 3;

That should trigger a single ESA alert (and the corresponding notification) every 60 seconds, grouping by ip.src for the matched conditions (3 or more paloalto scan events).

An alternative syntax using time_length_batch window and combining it with the OUTPUT FIRST syntax:

@RSAAlert
@Hint('reclaim_group_aged=120')
SELECT window(*) FROM Event(
    /* Statement: Palo Alto Recon Detection */
    device_type IN ( 'paloaltonetworks' )
    AND ec_theme IN ( 'tev' )
    AND policy_name.toLowerCase() LIKE '%scan%'
).std:groupwin(ip_src)
.win:time_length_batch(60 seconds, 3)
GROUP BY ip_src
HAVING COUNT(*) >= 3
OUTPUT FIRST EVERY 1 min;

This one uses a batch (or tumbling) window versus the sliding window of the previous one.
 
 

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2023-11-01 02:20 PM

JeremyKerwin,

 

Based on what is in the Alerting with ESA Correlation Rules User Guide (https://community.netwitness.com/t5/netwitness-platform-online/alerting-with-esa-correlation-rules-user-guide-for-11-7/ta-p/654977) on page 93 it talks about using notification suppression to help limit the number of emails the ESA is sending out per alert. Please review this section to see if this is what you are looking for. I am currently not aware of any other way of restricting the email frequency.

0 Likes

Go to solution
EduCarbonell
Contributor Contributor
Contributor

‎2023-11-09 07:11 AM - edited ‎2023-11-09 07:12 AM

Another option is to use EPL time window to trigger 1 alert every X time, and combine it with the oneInSeconds syntax, for example:

@RSAAlert(oneInSeconds=60, identifiers={"ip_src"})
@Hint('reclaim_group_aged=120')
SELECT * FROM Event(
    /* Statement: Palo Alto Recon Detection */
    device_type IN ( 'paloaltonetworks' )
    AND ec_theme IN ( 'tev' )
    AND policy_name.toLowerCase() LIKE '%scan%'
).std:groupwin(ip_src)
.win:time(60 seconds)
GROUP BY ip_src
HAVING COUNT(*) >= 3;

That should trigger a single ESA alert (and the corresponding notification) every 60 seconds, grouping by ip.src for the matched conditions (3 or more paloalto scan events).

An alternative syntax using time_length_batch window and combining it with the OUTPUT FIRST syntax:

@RSAAlert
@Hint('reclaim_group_aged=120')
SELECT window(*) FROM Event(
    /* Statement: Palo Alto Recon Detection */
    device_type IN ( 'paloaltonetworks' )
    AND ec_theme IN ( 'tev' )
    AND policy_name.toLowerCase() LIKE '%scan%'
).std:groupwin(ip_src)
.win:time_length_batch(60 seconds, 3)
GROUP BY ip_src
HAVING COUNT(*) >= 3
OUTPUT FIRST EVERY 1 min;

This one uses a batch (or tumbling) window versus the sliding window of the previous one.
 
 
0 Likes

Go to solution
Anonymous
Not applicable

‎2023-11-14 05:31 AM

Thanks @EduCarbonell  , this is what I was hoping to learn, exactly what I was looking for.

 

@JohnKisner Thanks, I'll certainly look into the limiting of emails for other alerts, in this case the use of the esa alert was what I hoping for.

 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.