NetWitness Community

MaximilianoCitt · ‎2021-07-14

Dear Community,

I'm trying to write an ESA rule to trigger when the customer gets 10 error 500 and 10 error 400 for a Web Service in 5 minutes.
the thing here is, the customer wants the rule to trigger the alert regardless of how the events arrives, for example:

2 x 400 - 2 x 500 - 8 x 400 - 8 x 500 must match and trigger the alert

10 x 400 - 10 x 500 also must match and tirgger

1 x 500 - 10 x 400 - 9 x500 also must match and trigger

I'm totally lost how to write this alert

any help will be very very appreciated.

EduCarbonell · ‎2021-07-22

Hi Maximiliano,

How about this one?:

SELECT window(*) FROM Event(
     device_class = 'Web Logs'
     AND (
          result_code LIKE '4%' 
          OR 
          result_code LIKE '5%'
     )
)
.std:groupwin(ip_dst)
.win:time(300 sec)
GROUP BY ip_dst 
HAVING COUNT(result_code) >= 20
OUTPUT FIRST EVERY 300 seconds;

But be careful because I am just grouping by ip.dst and not by ip.src, so it can trigger a lot of alerts in certain scenarios. You should group by ip.src as well or increase the suppression time (the OUTPUT FIRST clause).

MaximilianoCitt · ‎2021-07-22

Hi EduCarbonell!

Thank you so much for helping with this rule.

The sintax of your rule seem to work if I don't care about the amount of 4xx or 5xx errors. For example, your rule seems to match if there are 20 errors 4xx, 10 4xx and 10 5xx or 20 5xx.

What I'm looking for is a rule that matches if I have:
5 error 5xx

10 errors 4xx, no matter how they are ingested by the ESA engine....

for example:

2 5xx

5 4xx

1 5xx

5 4xx

and 2 5xx

I don't know if I'm clear with this.

once again, thank you so much for your help!

NetWitness Community

Help with ESA rule