Eric Partington

ESA - Using In Memory tables for WhatsNew

Blog Post created by Eric Partington Employee on Feb 26, 2019

These are a collection of ESA rules that create persisted in-memory tables for various different scenarios.  Hopefully they are useful as well as serve as templates for future ideas.


GitHub - epartington/rsa_nw_esa_whatsnew: collection of ESA rules for whats new stuff 


  • New JA3 hash
  • New SSH user agent
  • New useragent
  • New src MAC family
  • New certificate CA
  • New certificate CA (Endpoint)


These are advanced ESA rules so it will require copying and pasting the text into the rules.


These can also be tuned to learn more (longer learning window) so that more data is added to the known window of the ESA rule.  Just be careful about potential performance issues if you make the window too long for your environment.