Hello David,
At the last week I met Nikolay Klender an he showed me some interesting ESA rule. I would like optimize it but my aircraft wait me for boarding to travel to warm country. 🙂
Could you look on rules below and maybe you have any ideas how those can use more usefull?
Nikolay Klender invented very useful behavior rules like:
- If volume of event abnormal increase a normal count of events - alert:
@Name('CiscoEventPer5Second-insert')
insert into CiscoDeviceEventPer5Second
select device_ip,msg_id, count(*) as cnt5sec
from Event(device_type='ciscoasa'
).win:time_batch(5 second)
group by device_ip,msg_id;
@RSAAlert
@Name('ASA-EventsFastIncrease')
select device_ip,msg_id, avg(cnt5sec) as avg60, cnt5sec as Count5
from CiscoDeviceEventPer5Second().win:time(60 seconds)
group by device_ip,msg_id
having avg(cnt5sec)>10 AND cnt5sec > avg(cnt5sec) * 10
output first every 15 min;
- an user have profile location/providers what he use to connect through VPN. If appear new location/provider and increase up to 97% of all connections from this user - alert:
create window loginProfileASN.win:keepall()
(login string,param string,value string,v_count long)
ON EVENT() e
MERGE loginProfileASN p
where p.login=e.login and p.value=(e.geoip('asn')).toString()
when not matched
then insert select login,'ASN' param, geoip('asn') value,1L v_count
when matched
then update set p.v_count = p.v_count+1
create window loginProfileTotal.win:keepall()
(login string,param string,total long)
ON EVENT() e
MERGE loginProfileTotal p
where p.login=e.login
when not matched
then insert select login,'ASN' param, 1L total
when matched
then update set p.total = p.total+1
SELECT e.login,e.geoip('asn') asn, e.src_ip,
- v.v_count count,t.total, cast((100-100*v.v_count/t.total),int) score
FROM event().std:lastevent() e, loginProfileASN v,
loginProfileTotal t
where v.login=e.login and v.value=(e.geoip('asn')).toString()
and t.login = e.login
and (100-100*v.v_count/t.total)>97
