000031897 - Example Advanced ESA Rule which shows suppression on multiple variables in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000031897
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
IssueA user wishes to have an ESA Rule that fulfills the following criteria:
  • Only one alert should be sent within a particular time frame.
  • The alert is based on two (or more) variables.
TasksIn our example, we assume that we only want to be notified once per hour on unique ip_src and ip_dstport combinations from our Check Point firewalls logs.
In reality this would be a very chatty rule, but it is written to demonstrate the functionality and not as a real rule for a production environment.
ResolutionCreate an Advanced Event Stream Analysis rule with the following content:
module Module_564eeceae4b06807f34ebd2d;
        SELECT  ip_src, ip_dstport, device_type, ip_dst FROM Event(
            /* Statement: CheckPoint */
            (device_type IN ( 'checkpointfw1' ) AND ip_src is not null AND ip_dstport is not null AND ip_dst is not null)
        ).std:groupwin(ip_src,ip_dstport).win:time(3600 seconds).std:firstunique(ip_src,ip_dstport) retain-intersection

The rule does the following:
  1. Group events into distinct ip_src and ip_dstport combinations.
  2. Has a sliding window of 1 hour.
  3. Only sends the first unique ip_src and ip_dst port combination.
The retain-intersection command ensures that only events matching ALL three of these criteria are forwarded.
For output suppression you can also add "output first every 30 min" to get the first event in 30 mins. eg
SELECT window(*) FROM Event
AND ip_dstport=137
).win:time(60 sec)
GROUP BY ip_src
HAVING count(ip_dst) > 3
output first every 30 min;