A user wishes to have an ESA Rule that fulfills the following criteria:
- Only one alert should be sent within a particular time frame.
- The alert is based on two (or more) variables.
In our example, we assume that we only want to be notified once per hour on unique ip_src and ip_dstport combinations from our Check Point firewalls logs.
In reality this would be a very chatty rule, but it is written to demonstrate the functionality and not as a real rule for a production environment.
Create an Advanced Event Stream Analysis rule with the following content:
module Module_564eeceae4b06807f34ebd2d;
@RSAPersist
@Name('Module_564eeceae4b06807f34ebd2d_Alert')
@Description('')
@RSAAlert(oneInSeconds=0)
@Hint('reclaim_group_aged=10,reclaim_group_freq=30')
SELECT ip_src, ip_dstport, device_type, ip_dst FROM Event(
/* Statement: CheckPoint */
(device_type IN ( 'checkpointfw1' ) AND ip_src is not null AND ip_dstport is not null AND ip_dst is not null)
).std:groupwin(ip_src,ip_dstport).win:time(3600 seconds).std:firstunique(ip_src,ip_dstport) retain-intersection
The rule does the following:
- Group events into distinct ip_src and ip_dstport combinations.
- Has a sliding window of 1 hour.
- Only sends the first unique ip_src and ip_dst port combination.
The retain-intersection command ensures that only events matching ALL three of these criteria are forwarded.For output suppression you can also add "output first every 30 min" to get the first event in 30 mins. eg
@RSAAlert
SELECT window(*) FROM Event
(
device_type='snort'
AND ip_dstport=137
).win:time(60 sec)
GROUP BY ip_src
HAVING count(ip_dst) > 3
output first every 30 min;