David Waugh

Using the Esper EPL Online Try Out Page

Blog Post created by David Waugh Employee on Sep 27, 2016

The EsperTech Esper EPL Online can be a bit daunting if you are new to writing rules for your ESA, so here is a quick example that will hopefully get you started.

 

 

The screen is divided into three vertical areas:

 

- EPL Statements: - this is where you define what your events will look like and the ESA rule that will work on your Events

- Time and Event Sequence: -this is where you enter your events and advance time

- Scenario Results: - where the results of running the ESA rule against sequence of events is shown.

 

Here is an example to paste into the different areas so that you can see the results:

 

Paste into the EPL Statement Area:

 

create schema Event(user_dst string,device_ip string, ec_outcome string, ec_theme string, medium integer, ec_activity string);

@Name('Out') select * from Event;

@Name('Result') SELECT * FROM Event(

medium = 32

AND ec_activity = 'Logon'

AND ec_theme = 'Authentication'

AND ec_outcome = 'Failure'

).std:groupwin(user_dst).win:time_length_batch(60 sec,3)

 

 

Paste into the Time and Event Sequence Area:

 

Event={user_dst='joe', device_ip='1.2.3.4', ec_outcome='Failure', ec_theme='Authentication', medium=32, ec_activity='Logon'}
t=t+1
Event={user_dst='joe', device_ip='1.2.3.5', ec_outcome='Failure', ec_theme='Authentication', medium=32, ec_activity='Logon'}
t=t+2
Event={user_dst='joe', device_ip='1.2.3.6', ec_outcome='Failure', ec_theme='Authentication', medium=32, ec_activity='Logon'}
t=t+5

 

In this example we have a simple ESA rule that will detect a brute force login attempt. We are looking for three failed logins within a 60 seconds period, grouped on the same user_dst. Our events describe a user Joe logging in from three different devices. using the t=t+n we advance the time between the events by n seconds.

 

The statement

@Name('Out') select * from Event;

will print out any event.

 

The statement 

@Name('Result') SELECT * FROM Event( .....

will only print out events that match our criteria.

Outcomes