NetWitness Community

ShahnawazKohati · ‎2016-08-11

Hi All,

How do i apply/use "distinct" parameter in ESA rule format if i need to have an alert created for particular source connection ip only as per threshold time. I tried using unique parameter but it didn't suffice my requirement.

RSA SA version: 10.3.5

Need help.

JoeGumke · ‎2016-08-11

Here is the syntax I use for suppressing events using the same operation id within 10,000 seconds
:

/*Module debug section. If this is empty then debugging is off.*/

/* EPL section. If there is no text here it means there were no statements. */

module Module_XYZ;

@Name('MODULE-XYZ')

@Description('Cool ESA Alert')

@RSAAlert(oneInSeconds=0)

SELECT * FROM pattern [every-distinct(a.operation_id, 10000 sec) (a=Event(device_type IN ( 'sampleDevice' ) AND operation_id is not null AND event_desc IN ( 'sample description' )))]

AndrewOjha · ‎2016-08-11

Sounds like you are wanting to group / thread a specific alert criteria by a variable, in this case - source IP addresses in a certain window of time.

Perhaps using 'GROUP BY' will meet your requirement, rather than the "unique" or "distinct" parameters.

The syntax below is an example of creating an alert for failed logon criteria, and grouping the alert by source IP address, specifically where the count of failed logon events is greater than 5 - in a window of 5 minutes. The count parameter here is optional, but it may come in handy for alerts grouped by source IP address.

@RSAAlert(oneInSeconds=0)

SELECT * FROM

Event(user_dst IS NOT NULL AND ip_src IS NOT NULL AND event_cat_name = ‘User.Activity.Failed Logins’).win:time(5 min)

GROUP BY ip_src HAVING COUNT(*) > 5