Add an Advanced EPL RuleAdd an Advanced EPL Rule
This topic provides instructions to define rule criteria by writing an EPL query. EPL is a declarative language for handling high-frequency time-based event data. It is used to express filtering, aggregation, and joins over possibly sliding windows of multiple event streams. EPL also includes pattern semantics to express complex temporal causality among events.
Write an advanced EPL rule when rule criteria is more complex than what you can specify in Rule Builder.
It is outside the scope of this guide to explain EPL syntax.
- For EPL Documentation, see http://www.espertech.com/esper/esper-documentation/
- For the EPL Online Tool, see http://esper-epl-tryout.appspot.com/epltryout/mainform.html
For best practices on writing advanced EPL rules, see ESA Rule Writing Best Practices.
PrerequisitesPrerequisites
The following are prerequisites for adding an advanced rule:
- You must know Event Processing Language (EPL).
- You must understand ESA Annotations to mark which EPL statements are linked to generating alerts.
Add an Advanced EPL RuleAdd an Advanced EPL Rule
- Go to (Configure) > ESA Rules.
-
In the Rule Library, select > Advanced EPL.
-
Type a unique, descriptive name in the Rule Name field.
This name will appear in the Rule Library so be specific enough to distinguish the rule from others.
-
In the Description field, explain which events the rule detects.
The beginning of this description will appear in the Rule Library
-
Select Trial Rule to automatically disable the rule if all trial rules collectively exceed the memory threshold.
Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Working with Trial Rules.
- (This option applies to 11.5 and later.) Enter a Memory Threshold for a rule that uses memory, such as a rule that contains windows or pattern matching. If the configured memory threshold is exceeded, the rule gets disabled individually and an error is displayed for that rule on the (Configure) > ESA Rules > Services tab. The Memory Threshold option works for trial rules and non-trial rules. New rules default to a 100 MB memory threshold. Rules that existed before version 11.5 do not have a default value and a memory threshold is not set.
- (This option applies to 11.3 and later.) Select Alert to send an alert to Respond. Clear the checkbox if you do not want to send an alert to Respond. To turn alerts on or off for ALL rules, see the ESA Configuration Guide.
- For Severity, classify the rule as Low, Medium, High or Critical.
-
To define rule criteria, write a Query in EPL.
Note: For all meta key names, use an underscore not a period. For example,
ec_outcome
is correct butec.outcome
is not.Supported meta entities:
S. No Supported Meta Entities Description 1 fullname_all 2 eth_all 3 ip_all Combines all the IPv4 meta keys. 4 ipv6_all Combines all the IPv6 meta keys. 5 port_src_all 6 port_dst_all 7 dir_path_all 8 org_all 9 geoip_all 10 port_all 11 domain_all 12 email_all 13 filename_all 14 directory_all 15 checksum_all 16 param_all 17 context_all 18 attack_all 19 analysis_all 20 compromise_all 21 inv_all 22 outcome_all 23 ec_all 24 user_all 25 host_all 26 client_all -
For dynamic statement name generation in ESA, you must enclose the meta keys in curly brackets and include this annotation in the syntax:
@Name("RIG {ip_src} {alias_host} {ec_activity}")
where,
- RIG is the static part of the statement name
- {ip_src}, {alias_host}, {ec_activity} is the dynamic part of the statement name
Note: If any of the metas in the dynamic part of the statement name has a null value, it is displayed as a static text.
If a rule should generate an alert, include this ESA annotation in the syntax:
@RSAAlert
For more information on ESA Annotations, see ESA Annotations.
Validate an Advanced EPL Rule Validate an Advanced EPL Rule
You can confirm that an ESA rule generates the expected alerts by testing the rule logic using JSON input data. You can view the alerts in the output, but this test does not send any alert notifications.
If you want to view all of the debug information, include an @Audit(‘stream’) annotation to your rule query and view the Debug Log in the test output. To enable auditing you require to add @Audit to the rule and set the logging level for the Esper audit package to INFO. This can be done by creating correlation-server.yml file under /etc/netwitness/correlation-server with this content and restarting the correlation-server service with systemctl restart rsa-nw-correlation-server:
logging:
level:
com.espertech.esper.audit: INFO
The following basic example query contains the @Audit(‘stream’) annotation and queries for events that do not have a source IP of 1.1.1.1 or 2.2.2.2.
Validate an ESA RuleValidate an ESA Rule
- If you are not already in the rule, go to (Configure) > ESA Rules > Rules tab and in the Rule Library, open the ESA rule that you want to test.
- Scroll down to the Test Rule section.
- In the ESA Service field, select the ESA Correlation service to process the rule. Use the same ESA Correlation service that you plan to use in the ESA rule deployment that contains the rule.
- In the Input Data field, enter the input events to test the rule. Download the events from the Investigate view in JSON format, copy the events, and paste them in this field. You can do this from the Investigate > Navigate view or the Investigate > Events view.
To download the events from the Investigate > Navigate view:- In the main menu, go to Investigate > Navigate in a new tab, select a data source, and click Navigate.
- In the Navigate view, click Load Values and click a meta value to filter the events.
- Save the events as meta in the JSON file format [Save Events > Meta > (name the file) > Export Meta Format: choose JSON].
- In the toolbar click the (Jobs) icon and then click View Your Jobs.
- In the Jobs panel, download your extracted meta, for example: investigation-2020-May-19-08-30-20.json.
- Go to back to the (Configure) > ESA Rules tab opened previously and copy the contents of the JSON file into the Input Data field in your ESA rule.
To download the events from the Investigate > Events view:
- In the main menu, go to Investigate > Events in a new tab.
- In the Events view, enter a query for the ESA rule test.
- Select the events to use and in the Download or Download All menu, select Visible Meta as JSON or All Meta as JSON, depending on the size of your selection.
- In the main menu, go to Dashboards and in the toolbar click the (Jobs) icon and then click View Your Jobs.
- In the Jobs panel, download your extracted meta, for example: Concentrator_ALL_EVENTS_ALL_META.json.
- Go to back to the (Configure) > ESA Rules tab opened previously and copy the contents of the JSON file into the Input Data field in your ESA rule.
- Click Test Rule. The Output field shows the output of your rule and you can determine if the results meet your requirements.
Note: If you are testing any Rule that has meta key defined as type 'short', the Test Rule will not generate alert for the event.
The following table describes the test rule output Engine Stats.
Field | Description |
---|---|
Engine Version | Esper version running on the ESA service |
Events Offered | Number of events processed by the ESA service since the last service start |
Offered Rate | The rate that the ESA service processes current events / The maximum rate that the ESA service processed events |
Runtime Errors | If applicable, this field can contain a link to runtime error messages related to the ESA rule deployment. |
The following table describes the test rule output Rule Stats.
Field | Description |
---|---|
Deployed | A green checkmark indicates that the rule is deployed on the selected ESA service. |
Statements Fired | The number of statements that fired the alerts |
Alerts Fired | The number of alerts generated from the test data |
Events in Memory | The number of events placed in memory by the rule |
Memory Usage | The total amount of memory used by the rule |
CPU % | The percentage of the deployment CPU used by the rule. For example, a deployment with 1 rule shows 100% CPU usage for that rule and a deployment with two equally CPU heavy rules show 50% each. |
Events Matched | The number of events that matched the rule |
Alerted Events | If applicable, this field can contain a link to events that caused an alert. |
Runtime Errors | If applicable, this field can contain a link to runtime error messages related to the rule. |
Debug Logs | This field contains a link to Esper debug (audit) logs. |