2021-04-19 10:01 AM
Hi,
tries to create a rule that will be triggered if 2 out of 3 events occur in the given time window.
Valid operation: Event1 -> Event2 -> Event3
Incorrect operation that should generate an alarm: Event1 -> Event3.
The problem with this rule is that events can appear in any random order. (123,132,231,321,312,13.31)
events have a meta that is identical and allows you to select the correct events and a meta indicating which event we are dealing with (1,2 or 3).
Does anyone have any idea how to create this rule?
2021-04-23 12:15 PM - edited 2021-04-23 12:16 PM
Unfortunately, there's not going to be a simple and easy alert for this. The fact that we need to trigger when only 2 of the 3 events arrive means we cannot use MATCH_RECOGNIZE (and specifically the MATCH_RECOGNIZE_PERMUTE function, which could have saved a lot of complexity in this rule: http://esper.espertech.com/release-7.1.0/esper-reference/html/match-recognize.html#match-recognize-patternops-permutation).
The best way I can think to do this is to create each variation of the event sequence you're looking for in the rule:
For example:
@RSAAlert
@Name('Event1 followedBy Event2 notFollowedBy Event3')
SELECT * FROM PATTERN [
every-distinct(user_dst, 5 Minutes)
/* Statement: event 1 */
e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
->
(
/* Statement: event 2 */
e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
->
/* Statement: event 3 */
timer:interval(5 Minutes) AND NOT
e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
)
];
@RSAAlert
@Name('Event1 followedBy Event3 notFollowedBy Event2')
SELECT * FROM PATTERN [
every-distinct(user_dst, 5 Minutes)
/* Statement: event 1 */
e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
->
(
/* Statement: event 3 */
e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
->
/* Statement: event 2 */
timer:interval(5 Minutes) AND NOT
e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
)
];
...and simply keep adding each variation to the rule until you have them all.
2021-04-23 12:15 PM - edited 2021-04-23 12:16 PM
Unfortunately, there's not going to be a simple and easy alert for this. The fact that we need to trigger when only 2 of the 3 events arrive means we cannot use MATCH_RECOGNIZE (and specifically the MATCH_RECOGNIZE_PERMUTE function, which could have saved a lot of complexity in this rule: http://esper.espertech.com/release-7.1.0/esper-reference/html/match-recognize.html#match-recognize-patternops-permutation).
The best way I can think to do this is to create each variation of the event sequence you're looking for in the rule:
For example:
@RSAAlert
@Name('Event1 followedBy Event2 notFollowedBy Event3')
SELECT * FROM PATTERN [
every-distinct(user_dst, 5 Minutes)
/* Statement: event 1 */
e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
->
(
/* Statement: event 2 */
e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
->
/* Statement: event 3 */
timer:interval(5 Minutes) AND NOT
e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
)
];
@RSAAlert
@Name('Event1 followedBy Event3 notFollowedBy Event2')
SELECT * FROM PATTERN [
every-distinct(user_dst, 5 Minutes)
/* Statement: event 1 */
e1=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logon') AND user_dst IS NOT NULL )
->
(
/* Statement: event 3 */
e2=Event(device_type IN ( 'windows' ) AND ec_activity IN ('modify') AND user_dst IS NOT NULL AND user_dst=e1.user_dst)
where timer:within(5 Minutes)
->
/* Statement: event 2 */
timer:interval(5 Minutes) AND NOT
e3=Event(device_type IN ( 'windows' ) AND ec_activity IN ('logoff') AND user_dst IS NOT NULL AND user_dst=e2.user_dst)
)
];
...and simply keep adding each variation to the rule until you have them all.
2021-04-27 04:23 AM
thank you for your help but I found a simpler solution.
@RSAAlert()
SELECT * FROM Event(
( device_type IN ( 'xxx' ) AND
(isOneOfIgnoreCase(action,{ 'aaa' }))
)OR
( device_type IN ( 'xxx' ) AND
(isOneOfIgnoreCase(action,{ 'bbbl' }))
) OR
( device_type IN ( 'xxx' ) AND
(isOneOfIgnoreCase(action,{ 'ccc' }))
)
).std:groupwin(user_dst,ip_src)
.win:time_batch(1 min)
GROUP BY user_dst,ip_src
HAVING COUNT(*) < 3
2021-04-30 12:59 PM
Excellent! I like your solution much better.