NetWitness Community

MohdSaadKhan · ‎2016-03-08

I am building virus outbreak alert i.e. "A single virus hitting multiple IPs or hosts in a particular moment of time" through rule builder but failed to get alert to trigger, I think making mistake in rule building.

Can anyone tell how to build it in rule builder or in Advanced EPL.

PaulThornton · ‎2016-04-18

Hi Mohd,

I see you haven't had any responses to this question as yet, were you able to get your virus outbreak alert configured?

Regards

Paul Thornton

RSA Social Engagement Manager

MohdSaadKhan · ‎2016-04-18

I was trying to build this rule on esa. I haven't got any answer on this yet.

While cresting this rule I want to store the different IPs for single Virus in rule builder but failed to do so.

DavidWaugh1 · ‎2016-04-18

Hi paste the following into an advanced ESA Rule:

SELECT * FROM Event(

/* Statement: Virus Found */

(virusname IS NOT NULL AND ip_src IS NOT NULL)

).std:groupwin(ip_src,virusname).win:time(3600 seconds).std:firstunique(ip_src,virusname) retain-intersection

This will output the first unique values of each Virusname and IP src pair. If the same Virusname and IP_SRC combination occur within an hour (3600 seconds) then it will be suppressed.

MohdSaadKhan · ‎2016-04-18

I want same virus at different/unique ip source, so in that case do I have to use groupwin(virusname) and firstunique(ip_src) ?

DavidWaugh1 · ‎2016-04-18

It's a lot more complicate to get a list of IP_SRC addresses for each Virusname. This would require more advanced Esper programming. The rule above will alert you whenever a new (or within the last 3600 seconds) a new virusname and ip_src is seen.

NetWitness Community

How to build ESA Alert for the Virus Outbreak