NetWitness Community

MaximilianoCitt · ‎2019-02-11

Hi!

I'm trying to write an ESA alert to trigger under de following conditions:

ESA recieves an event from device_type = 'device' and a user_src is 'username' with a meta = 'cond01' or meta = 'cond02'... this event also has a "number" meta and NO event with the following conditions arribes to ESA within 20 seconds: device_type = 'device' and meta = 'cond03' and the same number as the first event. The rule is as follows:

@Name('Test Rule')
@RSAAlert(oneInSeconds=0)
SELECT * FROM pattern
[Every a = Event(
(device_type.toLowerCase() IN ( 'device' ) AND user_src.toLowerCase() IN ( 'username' ) AND meta.toLowerCase() IN ( 'cond01' , 'cond02' ) ) )
-> (timer:interval(20 seconds) and not Event(device_type.toLowerCase() IN ( 'device' ) AND number= a.number AND meta.toLowerCase()='cond03'))];

the rule work fine, but it aggregates all the events within the same alert and I need one alert for each time that the first event is matched (the device produces several first conditions with different "number")

Sorry if I'm not clear, but I'm a little lost with this.

LeeKirkpatrick · ‎2019-02-11

Hey Max,

Try the following code:

@Name('Test Rule')

INSERT INTO alertStreamSELECT * FROM pattern @SuppressOverlappingMatches [Every(a = Event(device_type.toLowerCase() IN ( 'device' ) AND user_src.toLowerCase() IN ( 'username' ) AND meta.toLowerCase() IN ( 'cond01' , 'cond02' ) ) ) -> (timer:interval(20 seconds) and not Event(device_type.toLowerCase() IN ( 'device' ) AND number= a.number AND meta.toLowerCase()='cond03'))];

@RSAAlert

SELECT * FROM alertStream

This will insert the alerts into a temporary stream which we then select from. This should mean each alert will not be aggregated together, but instead, be an individual alert.

Cheers,

Lee

View solution in original post

LeeKirkpatrick · ‎2019-02-11

Hey Max,

Try the following code:

@Name('Test Rule')

INSERT INTO alertStreamSELECT * FROM pattern @SuppressOverlappingMatches [Every(a = Event(device_type.toLowerCase() IN ( 'device' ) AND user_src.toLowerCase() IN ( 'username' ) AND meta.toLowerCase() IN ( 'cond01' , 'cond02' ) ) ) -> (timer:interval(20 seconds) and not Event(device_type.toLowerCase() IN ( 'device' ) AND number= a.number AND meta.toLowerCase()='cond03'))];

@RSAAlert

SELECT * FROM alertStream

This will insert the alerts into a temporary stream which we then select from. This should mean each alert will not be aggregated together, but instead, be an individual alert.

Cheers,

Lee

MaximilianoCitt · ‎2019-02-11

Thank you so much Lee! it worked exactly like I need!

The only thing that worries me is how far I was from the rule I needed.

How did you get to that kind of structure in the rule? Is there any documented case or was it the magic that the experience brings?

LeeKirkpatrick · ‎2019-02-11

Hey Max,

No problem!

No documented case, it comes from understanding Espers' Processing Model and how it handles and delivers events: http://esper.espertech.com/release-5.4.0/esper-reference/pdf/esper_reference.pdf - Chapter 3 goes over this in-depth; that being said, experience helps of course!

I would also suggest playing around with Espers' Tryout Tool to better understand these concepts as well if you haven't been already: EsperTech Esper EPL Online

Cheers,

Lee

NetWitness Community

Help with an ESA alert