This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Want to make a rule under ESA for new device discovery

ShahnawazKohati
New Contributor
New Contributor

‎2017-08-24 12:12 PM

Need help in creating a rule under ESA for new device discovery.

For example: Any new device which gets integrated with RSA SA i should get this alert.

 

i have created a rule for this but its not working as expected.

0 Likes
2 REPLIES 2

MichaelSconzo
Employee
Employee

‎2017-08-24 02:02 PM

Could you share the actual rule text?

0 Likes

robertofasciani
Beginner
Beginner

‎2017-08-25 02:56 AM

Hello, can you try to use an advanced EPL rule like:

 

module Module_insert_device;
@RSAPersist
CREATE WINDOW list_device.std:unique(device_ip).win:time(30 days) (event_source_id string, time long, sessionid long, lc_cid string, medium short, device_ip string, eventCount long);

@Name('insert')
ON Event ( medium = 32 AND device_ip IS NOT NULL) AS W1
MERGE list_device as W2
WHERE (W1.device_ip = W2.device_ip)
WHEN matched
THEN UPDATE SET eventCount = eventCount + 1
WHEN NOT MATCHED
THEN INSERT
SELECT event_source_id, time, sessionid, lc_cid , medium, device_ip, 1L as eventCount;

/* uncomment after learning phase
@Name('Module_Alert')
@RSAAlert
SELECT *
FROM list_device (eventCount = 1);
*/

 

I hope to have helped you

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.