This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to add newer events to the older alert ESA ?

ShishirKumar1
Beginner
Beginner

‎2018-04-03 05:44 AM

Hi All,

 

I would like help on grouping/aggregation on ESA. When I create a rule with a threshold, the alert triggers for the defined threshold and does not constitute events up and above the defined threshold.

 

For example, let's consider a rule where I am looking for 10 failed login events in 1 minute from the same user. The alert fires when there are 10 such events and the alert shows these 10 events associated with the alert. But if there are more than 10 events from the same user, the count does not go up in the Alert view. I would like to have the exact number of events show in the Alert view in the defined timeline and if there are future events from the same user, they should get added to the same alert and not create a different alert.

 

pastedImage_1.png

 

As you see in the pic above, the alert shows 10 events even though I had injected 15 events or more for each unique user.

 

Is that possible?

 

Also in the alert detailed view, sometimes username does not show even though it is present in the raw log and being parsed. Is there any configuration that needs to be defined for the alert view to be associated with specific meta keys?

0 Likes
3 REPLIES 3

robertofasciani
Beginner
Beginner

‎2018-04-03 08:28 AM

Yes, it is possible. You should use .win:time_batch instead of .win:time_length_batch;

Es:

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

SELECT window(*) FROM  
            Event(
                medium = 32
            AND
                ec_activity='Logon'
            AND
                ec_outcome='Failure'
            AND
                user_dst IS NOT NULL
            ).std:groupwin(user_dst).win:time_batch(60 seconds)

group by user_dst

having count >= 10;

0 Likes

ShishirKumar1
Beginner
Beginner
In response to robertofasciani

‎2018-04-03 09:51 AM

Hi Roberto,

 

When I used .win:time_batch, I got all the events together even though they were from different users. What I am looking for is different alerts from different users but the number of associated events to have the actual event count in the specified time (up and above the threshold defined in the rule if that is the case).

 

For example, a rule can be defined to alert if there are 20 login failures in a minute but if there were 40 login failures from the same user, they all should be included in the alert in the specified time frame. Also the alert should fire as soon as the threshold is breached and continue to update the associated events that match the criteria even after the alert has been generated.

 

Is that possible?

0 Likes

robertofasciani
Beginner
Beginner
In response to ShishirKumar1

‎2018-04-03 11:22 AM

Hi Shishir, If you use

SELECT * FROM event ( <filter> )

.std:groupwin(user_dst).win:time_batch(60 seconds)

 group by user_dst

having count (user_dst) >= 20;

 

you will get different alerts from differet use.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.