When you use an In-Memory Table configuration in expert mode, you can create an enrichment source or named window based on an Esper query. This allows you to have more control over the content and create more dynamic content. When you do this, an EPL query constructs the named window to capture interesting states from the event stream.
The following shows the workflow for creating a query using a named window:
- The event is sent to the Esper Engine.
- An EPL query is generated.
- An alert is triggered.
- The query checks to see if there is a connection between the event and the Named Window.
- If there is a connection, the query that populates the Named Window is run and populated.
- The content from the Named Window is added to the alert content and sent or displayed (depending on your settings).
- The meta used in the EPL statement must exist in the data.
- You must create well-formed EPL statements.
- Go to Configure > ESA Rules.
The Configure view is displayed with the Rules tab open.
- Click the Settings tab.
- In the options panel, select Enrichment Sources.
- In the Enrichment Sources section, click > In-Memory Table.
- Select Adhoc.
By default, Enable is selected. When you add the in-memory table to a rule, alerts will be enriched with data from it.
- In the User-Defined Table Name field, type a descriptive name to describe the in-memory table.
- If you want to explain what the enrichment adds to an alert, enter information in the Description field.
This description displays when you view the list of enrichments from the Enrichment Sources view, so it's a good idea to enter a thorough description as a best practice. Doing this allows other users to understand the content of the enrichment without opening it to examine its contents.
- Select Expert Mode to define an advanced in-memory table configuration by writing an EPL query.
The Table Columns are replaced by a Query field.
- Select Persist to preserve the in-memory table on disk when the ESA service stops and to re-populate the table when the service restarts.
- Enter the EPL query in the Query field. The query should be well-formed, and it's a good idea to test it before entering it in the field.
- Click Save.
For example, you created a rule that searches for five failed attempted logins followed by a successful login. When that rule is triggered, you may want the notification to contain information about the last user logged into the system when this successful login occurred. To add this enrichment to the notification, you might choose to create a stream-based in-memory lookup table that is populated from incoming events to maintain a mapping of IP addresses to the last user logged in from that address. To do this, you create an enrichment using a query as your source.
Step 1: Create Your Rule
First, you need to create your correlation rule. In this case, you create failure and success rule conditions, and group by the ip_src.
For the rule conditions, you create the following statements:
- The "Failures" statement searches for failed login attempts:
- The "Success" statement searches for one successful login:
- Combined, you have the following correlation rule:
Step 2: Create the Enrichment
Now that you have created your rule, you need to create the enrichment to add to the notification output. Follow the steps above to create the enrichment, name it Last_Logon, and add the following query:
create window LastLogon.std:unique(ip_src) as (ip_src string, user_dst string);
insert into LastLogon select ip_src, user_dst from CoreEvent
where ec_activity='Logon' and ec_outcome='Success';
The enrichment should look like the following:
Step 3: Add the Enrichment to the Rule
Now that you have created your basic rule and your enrichment, you'll need to add the enrichment to the rule and join (or connect) the enrichment to the meta in the rule.
Open the Login_Failure_Followed_by_Success rule for editing.
Once you have added the enrichment, you can save the rule.
When the rule is triggered, the ESA runs the query in the enrichment and populates the Named Window with the data. If the data in the Named Window matches the join condition, the data is added to the output you can view in Email, Syslog or Script, depending on how you configured notifications.