I am having some challenges (the nicest way to say it publicly) with ESA and thought it was time to ask the guru's and experts here.
I have created a total of 2 successful rules (basic rules mind you).
device_type is "AV device type"/"network based malware detection device type"
alert is meta1 (both rules fire with this same alert condition)
So, I try to configure an ESA alert for HIPS (same vendor as AV). I am unsuccessful at this. Round 2, seemingly brilliant idea is born: follow the same logic as the current two working rules (device_type is and alert is..). It worked for the two successfully, right?
I create an application rule to create to alert on the Alert meta, rule name "HIPS event". I let this soak for a while and I can run a query in Investigation and under the Alert meta, I can see "hips event" (don't get me started on the case sensitivity issue). Ok, great. I'm on my way to saying "I have created 3 successful ESA alerts".
So I got from Mr. AV Vendor's website a file I can run similar to the EICAR file to test the HIPS functionality. I create the new HIPS ESA rule:
device_type is "AV device type" (HIPS events come in under this same device_type)
alert is "hips alert"
Run test file.
It took me a while to realize "hips alert" and "HIPS alert" in the eyes of ESA are two different things. So, I discover this last night thinking I have truly discovered the ultimate secret and resolution to my headaches.
I make the change... I sync the change.
Nothing. (ESA alert, but the application rule created the desired alert name successfully "working as designed")