Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000026416 - How to use regex with an RSA Security Analytics ESA Rule

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 3Show Document

Like • Show 2 Likes2
Comment • 0
View in full screen mode

Article Content

Article Number	000026416
Applies To	RSA Security Analytics RSA Security Analytics Event Stream Analysis
Issue	How to use regex with an RSA Security Analytics ESA Rule.
Resolution	Below is an example of an ESA rule using regex, which can be pasted in Expert Mode. /* This basic template is a placeholder for defining basic EPL content that can be installed and executed in ESA. The sample below is the minimum that would be required to get started. / / Module debug section. If this is empty then debugging is off. / / EPL section. If there is no text here it means there were no statements. / module RegexTest; @Name('RegexTest') @Description('') @RSAAlert(oneInSeconds=60) @Audit('stream') SELECT FROM Event(domain_dst REGEXP '.bbc.') ; This rule will fire if the domain_dst field contains bbc.
Notes	The comment @Audit('stream') can be removed but it is useful for debugging. It will print out the event in the log /opt/rsa/esa/logs/esa.log which may be useful for troubleshooting. 2014-07-14 16:12:58,841 [pipeline-sessions-0] INFO com.espertech.esper.audit - Statement RegexTest stream Event(.boolean_expressionboolean_expr...) inserted Event[{esa_time=1405354378834, client=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36, query=~RS~s~RS~News~RS~t~RS~eav2_Load~RS~i~RS~0~RS~p~RS~0~RS~a~RS~International~RS~u~RS~http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-europe-28288823~RS~r~RS~0~RS~q~RS~0~RS~z~RS~20~RS~, alias_host=[stats.bbc.co.uk, stats.bbc.co.uk, stats.bbc.co.uk], payload=1460, packets=12, org_dst=BBC, Network_Name=DWAUGH_INTERCEPT, domain_dst=bbc.co.uk, ip_dst=212.58.244.39, time=1405354337, tcp_dstport=80, eth_src=00:50:56:03:01:fc, action=[get, get, get], filetype=gif, longdec_dst=-0.2333, eth_dst=00:50:56:03:03:fb, eth_src_vendor=VMware, Inc., query_element=~RS~s~RS~News~RS~t~RS~eav2_Load~RS~i~RS~0~RS~p~RS~0~RS~a~RS~International~RS~u~RS~http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-europe-28288823~RS~r~RS~0~RS~q~RS~0~RS~z~RS~20~RS~, tcp_srcport=52418, latdec_dst=51.2833, lifetime=60, asn_dst=2818, did=rsadecoder, ip_proto=6, sessionid=140831147, medium=1, size=2156, content=image/gif, orig_ip=192.168.123.13, extension=gif, eth_dst_vendor=VMware, Inc., rid=11745952, alias_ip=[212.58.244.39], directory=/, tcp_flags=27, service=80, filename=o.gif, server=Apache, streams=2, language=en-US,en;q=0.8,es;q=0.6, referer=http://www.bbc.com/news/world-europe-28288823, event_source_id=192.168.123.240:50005:140831147, city_dst=Tadworth, country_dst=United Kingdom, eth_type=2048, tld=uk, ip_src=192.168.200.27}]
Legacy Article ID	a66912

Attachments

Outcomes

0 Comments

Recommended Content