This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Treshold

RenatoGoncalves
Beginner
Beginner

‎2018-06-28 10:16 AM

Its possible to create a threshold for a specific user in a ESA rule?

 

We have a user that trigger many alerts For Brute Force Logins due to a misconfiguration her computer and OS. Our clients know that and are aware of the situation. So i contact with them came up an idea for creation of threshold for her.

 

For her user it only generates an incident/alert if its the 2.000 time it fails login for example...

 

Its possible to do that and where can we create the threshold?

0 Likes
1 REPLY 1

AkramHamed
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2018-07-22 07:08 AM

Hi,

 

this can be achieved using the EPL function "firsttime" which will take the first event only and ignores the rest in this window.

more info can be found here http://esper.espertech.com/release-6.1.0/esper-reference/html/epl-views.html#view-win-firsttime 

 

you can also use "first every x min" as this KB 000031897 - Example Advanced ESA Rule which shows suppression on multiple variables in RSA Security Analytics 

more on EPL site as well here http://esper.espertech.com/release-6.0.1/esper-reference/html/appendix_outputspec.html  (A.2.4. Output Rate Limiting - First)

 

 

an example can look like this

 

@RSAAlert 
SELECT window(*) FROM Event 
( 
device_type='snort' 
AND ip_dstport=137 
).win:time(60 sec) 
GROUP BY ip_src 
HAVING count(ip_dst) > 3 
output first every 30 min; 

Akram

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.