This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

No meta and no events on ESA alerts

RSAAdmin
Beginner
Beginner

‎2015-04-09 08:15 AM

Hi all,

 

I have some ESA rules that are firing alerts, the weird thing is that, if i try to look at the alerts details, it says that there are 0 events and so i'm not able to see metas nor investigate the events that caused the alert.

 

Could anyone give some clue?

 

I'm also attaching a couple of screenshots.

 

Thanks in advance,

Andrea

Preview file
49 KB
Preview file
39 KB
Preview file
23 KB
0 Likes
3 REPLIES 3

Anonymous
Not applicable

‎2015-04-10 09:37 AM

Is this an advanced rule or a basic one?

 

I've had similar problems with advanced rule where the alert trigger is a based on something like a time window...

 

create window CountTable.win:length(10)....

insert into CountTable select time, sessionid, event_source_id, + the fields you actually want

@RSAAlert(oneInSeconds=0) select time, sessionid, event_source_id, + fields you actually want from CountTable

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-04-10 03:57 PM

Hi Andy,

 

i have the same behaviour with both basic and advanced rules and i'm not using time windows.

 

I've also tried a very very simple rule with a single statement "threat.category=suspicious" that is firing alerts but does not return any event in the details.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2017-10-05 03:51 PM

Hi!

 

Did you have chance to resolve this issue? I'm currently having the same problem.

 

Regards.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.