Hi,
I have been tasked with end-to-end testing for our NW platform. I have little experience with NW.
What I'm trying to do is to replay events with `NwLogPlayer`. Said events are modified: timestamps and other fields as required.
Replay events and trigger an alert for the rule been tested. The alert is sent to another system, searches run at scheduled intervals and when certain conditions are met, a ticket is created in another system. Ticket is then cancelled. This is all automated.
I have managed to test 5 rules so far and it hasn't been easy. Some rules will not trigger alerts at each and every event replayed.
This rule in particular:
```
@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
(medium IN ( 32 )
AND device_type IN ( 'windows' )
AND reference_id IN ( '4657' , '5671' )
AND wl_reguser IS NULL
AND wl_procuser IS NULL
AND wl_regkey IS NULL
AND filter IS NULL
)
)OUTPUT FIRST every 240 minute;
```
Am I correct in my logic:
- 1st event is received and time is noted
- any other `4657` or `5671` events thereafter are ignored until 240m is up
- when 240m is up, the next matching event repeats the cycle
Is it possible to:
- somehow replay a modified event that will trigger the alert regardless if an event has been seen in the 240m window
- the above must alert even if an event has been in the 240m window
Conclusions:
- I have tried changing all the fields in an event except the `EventID` to try and simulate a `new` event. No joy.
- this will never work I think as _any_ `4657` event, regardless of content will match the rule and `OUTPUT FIRST every 240 minute` will apply
- the replayed event, it it makes it into a window where no event has been seen, will cause the 240m logic to be activated and any subsequent, genuine events in said window will be ignored for the remainder of 240m
- if I'm replaying every 5h and upon replay, if an event was seen 10m before, the 240m logic is in effect and the rule will not alert
Apologies if the above appears obtuse.
