000026416 - How to use regex with an RSA Security Analytics ESA Rule

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026416
Applies ToRSA Security Analytics
RSA Security Analytics Event Stream Analysis
IssueHow to use regex with an RSA Security Analytics ESA Rule.
Resolution

Below is an example of an ESA rule using regex, which can be pasted in Expert Mode.


/*
 This basic template is a placeholder for defining basic EPL content that can be
 installed and executed in ESA. The sample below is the minimum that would be required
 to get started.
*/


/*
Module debug section. If this is empty then debugging is off.
*/


/* EPL section. If there is no text here it means there were no statements. */


    module RegexTest;


       
        @Name('RegexTest')
        @Description('')
        @RSAAlert(oneInSeconds=60)
       @Audit('stream')


        SELECT * FROM Event(domain_dst REGEXP '.*bbc.*') ;


This rule will fire if the domain_dst field contains bbc.

Notes

The comment @Audit('stream') can be removed but it is useful for debugging. It will print out the event in the log /opt/rsa/esa/logs/esa.log which may be useful for troubleshooting.


2014-07-14 16:12:58,841 [pipeline-sessions-0] INFO  com.espertech.esper.audit - Statement RegexTest stream Event(.boolean_expressionboolean_expr...) inserted Event[{esa_time=1405354378834, client=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36, query=~RS~s~RS~News~RS~t~RS~eav2_Load~RS~i~RS~0~RS~p~RS~0~RS~a~RS~International~RS~u~RS~http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-europe-28288823~RS~r~RS~0~RS~q~RS~0~RS~z~RS~20~RS~, alias_host=[stats.bbc.co.uk, stats.bbc.co.uk, stats.bbc.co.uk], payload=1460, packets=12, org_dst=BBC, Network_Name=DWAUGH_INTERCEPT, domain_dst=bbc.co.uk, ip_dst=212.58.244.39, time=1405354337, tcp_dstport=80, eth_src=00:50:56:03:01:fc, action=[get, get, get], filetype=gif, longdec_dst=-0.2333, eth_dst=00:50:56:03:03:fb, eth_src_vendor=VMware, Inc., query_element=~RS~s~RS~News~RS~t~RS~eav2_Load~RS~i~RS~0~RS~p~RS~0~RS~a~RS~International~RS~u~RS~http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-europe-28288823~RS~r~RS~0~RS~q~RS~0~RS~z~RS~20~RS~, tcp_srcport=52418, latdec_dst=51.2833, lifetime=60, asn_dst=2818, did=rsadecoder, ip_proto=6, sessionid=140831147, medium=1, size=2156, content=image/gif, orig_ip=192.168.123.13, extension=gif, eth_dst_vendor=VMware, Inc., rid=11745952, alias_ip=[212.58.244.39], directory=/, tcp_flags=27, service=80, filename=o.gif, server=Apache, streams=2, language=en-US,en;q=0.8,es;q=0.6, referer=http://www.bbc.com/news/world-europe-28288823, event_source_id=192.168.123.240:50005:140831147, city_dst=Tadworth, country_dst=United Kingdom, eth_type=2048, tld=uk, ip_src=192.168.200.27}]

Legacy Article IDa66912

Attachments

    Outcomes