Warnmeldungen: Beispiele für erweiterte EPL-Regeln

SELECT * FROM Event(ec_subject='User'
                    AND ec_outcome='Success'
                    AND user_src is NOT NULL
                    AND ec_activity IN ('Create', 'Delete')
                   ).win:time(300 seconds)

match_recognize (partition by user_src
                measures C as c, D as d
                 pattern (C D)
                 define
                 C as C.ec_activity='Create' ,
                 D as D.ec_activity='Delete');

SELECT * from pattern[every (a= Event(ec_subject='User' AND ec_outcome='Success' AND user_dst is NOT NULL AND ec_activity IN ('Create'))

 ->

SELECT * FROM Event(ec_subject='User'
                    and ec_activity in ('Create','Logon','Delete')
                    and ec_theme in ('UserGroup', 'Authentication')
                    and ec_outcome='Success'
                   ).win:time(300 seconds)
match_recognize (measures C as c, L as l, D as d
                 pattern (C L D)
                 define
                 C as C.ec_activity = 'Create',
                 L as L.ec_activity = 'Logon' AND L.user_dst = C.user_src,
                 D as D.ec_activity = 'Delete' AND D.user_src = C.user_src
                );

@Name('NormalizedWindow')
create window FilteredEvents.win:time(300 sec) 
(user String, ecactivity string, sessionid Long);

@Name('UsersrcEvents') 
Insert into FilteredEvents 
select user_src as user, ec_activity as ecactivity, sessionid from Event(
ec_subject='User' and ec_activity in ('Create','Delete') and ec_theme in ('UserGroup', 'Authentication') and ec_outcome='Success' and user_src is not null );

@Name('UsrdstEvents') 
Insert into FilteredEvents 
select user_dst as user, ec_activity 

as ecactivity, sessionid from Event(
ec_subject='User' and ec_activity in (Logon’) and ec_theme in ('UserGroup', 'Authentication') and ec_outcome='Success' and user_dst is not null 
);

@Name('Pattern')

@RSAAlert(oneInSeconds=0, identifiers={"user"})


select * from FilteredEvents
        match_recognize (

         partition by user

         measures C as c, L as l, D as d
         pattern (C L+D)

         define 
C as C.ecactivity= ‘Create’,
                
L as L.ecactivity= ‘Logon’,
                D as D.ecactivity=’Delete’
                 );

SELECT * FROM
         Event(
         ip_src IS NOT NULL AND ec_activity=’Logon’ AND ec_outcome = ‘Failure’ ).std:groupwin(ip_src).win:time_length_batch(300 sec, 10) GROUP BY ip_src HAVING COUNT(*) = 10;     

• Erstellt Fenster gemäß ip_src
• Verwendet time_length_batch: Prüft Ereignisse in Stapeln (Rollierendes Fenster). Jedes Ereignis ist nur Teil eines Fensters. Das Fenster gibt Ereignisse frei, wenn entweder die Zeit abgelaufen oder die Anzahl erreicht ist.

• Eines der Probleme mit rollierenden Fenstern ist, dass Ereignisse, die gegen Stapelende auftreten, möglicherweise keine Warnmeldung auslösen.

Obgleich in der folgenden Reihenfolge der Ereignisse bis t=301 10 Anmeldungsfehler für dieselbe Anmeldung in den letzten 300 Sekunden auftraten, wird keine Warnmeldung ausgegeben, da der Ereignisstapel bei t=300 verworfen wurde.

• Das oben genannte Problem kann mithilfe von win:time-Fenstern (EPL Nr. 7) anstelle von win:time_length_batch-Fenstern gelöst werden.

• Mit dem äußeren Group by werden Ereignisse nach Ablauf der Zeit gesteuert. Angenommen, es liegen 9 Ereignisse nach 60 Sekunden vor, dann werden diese 9 Ereignisse von der Esper-Engine an den Listener übertragen. Group by und Count führen zu einer Einschränkung, da die Anzahl ungleich 10 ist.

• Zeit und Anzahl können nach Bedarf geändert werden.

SELECT * FROM
                  Event(
           ip_src IS NOT NULL AND ec_activity=’Logon’ AND ec_outcome = ‘Failure’ 
  ).std:groupwin(ip_src).win:time (300 sec) GROUP BY ip_src HAVING COUNT(*) = 10

SELECT * FROM 
  Event( ec_activity='Logon' AND ec_outcome='Failure'  AND  ip_src IS NOT NULL   AND  ip_dst IS NOT NULL AND  user_dst IS NOT NULL ).std:groupwin(ip_src,ip_dst).win:time_length_batch(300 seconds, 5}).std:unique(user_dst) group by ip_src,ip_dst having count(*) = 5;

SELECT * FROM pattern [every a = Event(device_ip IN ('10.0.0.0','10.0.0.1') AND medium = 32) -> (timer:interval (3600 seconds) AND NOT Event(device_ip = a.device_ip AND device_type = a.device_type AND medium = 32))];

SELECT * FROM pattern 
[every-distinct(a.user_dst, a.device_ip, 1 msec) (a= Event(ec_activity='Logon' and ec_outcome='Failure' and user_dst IS NOT NULL)
-> [2]( Event( device_ip =a.device_ip and ec_activity='Logon' and ec_outcome='Failure' and user_dst=a.user_dst) 


AND NOT Event( ( ec_activity='Logon' and ec_outcome='Success' and device_ip = a.device_ip and user_dst=a.user_dst) or (ec_activity='Lockout' and device_ip = a.device_ip and user_dst=a.user_dst))))


where timer:within(60 seconds) -> (timer:interval(30 seconds) and not Event(device_ip=a.device_ip and user_dst=a.user_dst and ec_activity='Lockout'))
];