This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Help Required -Rule syntax.

Go to solution
MathewsMax
Beginner
Beginner

‎2016-02-25 06:29 AM

Hi I am trying to crate a rule which will fire an alert once 3+ events for a single host is detected within 4hr span. Instead It keeps firing every 3rd event from the host.  I am trying the below syntax.

 

 

@RSAAlert (oneInSeconds=0, identifiers={"alias_host"})

 

 

SELECT * FROM

Event(

   (

     medium = 32

     AND

     device_type='entercept'

     AND

     alias_host IS NOT NULL

   )

).win:time(14400 sec)

 

 

match_recognize(

partition by alias_host

measures A as a

pattern (A A A A+)

 

 

define

 

 

A as A.alias_host IS NOT NULL

 

 

);

 

Can I please get the proper syntax or some suggestions to get it done?  Thanks in advance.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
4 REPLIES 4

Go to solution
DavidWaugh1
Employee
Employee

‎2016-02-25 10:06 AM

Hello

 

I'd try your rule out on the Epser Try Out page here:

EsperTech Esper EPL Online

 

In the EPL Box enter the following:

create schema Event(medium int,device_type string,alias_host string);

 

 

@Name('Out') select * from Event;

@Name('MyAlert' )SELECT * FROM

Event(

  (

    medium = 32

    AND

    device_type='entercept'

    AND

    alias_host IS NOT NULL

  )

).win:time(14400 sec)

 

match_recognize(

partition by alias_host

measures A as a

pattern (A A A A+)

 

define

 

A as A.alias_host IS NOT NULL

 

);

 

In the Enter Sequence of Events, enter:

 

Event={medium=32,device_type='entercept',alias_host='a'}

t=t.plus(5 seconds)

Event={medium=32,device_type='entercept',alias_host='a'}

t=t.plus(5 seconds)

Event={medium=32,device_type='entercept',alias_host='a'}

t=t.plus(5 seconds)

Event={medium=32,device_type='entercept',alias_host='a'}

t=t.plus(5 seconds)

Event={medium=32,device_type='entercept',alias_host='a'}

t=t.plus(5 seconds)

 

I tried this and your syntax looks correct in that the alert will fire on the fourth alert:

At: 2001-01-01 08:00:20.000

  • Insert
    • MyAlert-output={a=[{device_type='entercept',alias_host='a',medium=32},{device_type='entercept',alias_host='a',medium=32},{device_type='entercept',alias_host='a',medium=32},{device_type='entercept',alias_host='a',medium=32}]}

 

For me your alert will fire every four events.

When do you not want the alert to fire - eg is this only after 4 matches and then it should remain quiet for a period of time?

Go to solution
MathewsMax
Beginner
Beginner
In response to DavidWaugh1

‎2016-03-03 08:48 AM

Hi David,

 

Thanks for the reply and EPL Online Link. I want the alert to be fired once in 4 hours when there are more than 3 matches. It should remain quiet for the next 4 hours.  If there are any matches after 4 hours since the first alert,another alert is to be fired.

 

Regards,
Mathews

0 Likes

Go to solution
MathewsMax
Beginner
Beginner
In response to DavidWaugh1

‎2016-03-03 08:49 AM

Thanks David. And sorry for the late reply.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.