|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Event Stream Analysis (ESA)
|Issue||A user wishes to have an ESA Rule that fulfills the following criteria:|
|Tasks||In our example, we assume that we only want to be notified once per hour on unique ip_src and ip_dstport combinations from our Check Point firewalls logs.|
In reality this would be a very chatty rule, but it is written to demonstrate the functionality and not as a real rule for a production environment.
|Resolution||Create an Advanced Event Stream Analysis rule with the following content:|
The rule does the following:
For output suppression you can also add "output first every 30 min" to get the first event in 30 mins. eg