Detect a loss of logs from a device IP
I tried ESA rule template example which detects sudden loss of traffic from sadocs ESA documentation.
Unfortunally, it does not work in my environement. Here is the EPL :SELECT * FROM pattern [every a = Event(device_ip IN ('IP_X1','IP_X2') AND medium = 32) -> (timer:interval(3600 seconds) AND NOT Event(device_ip = a.device_ip AND device_type = a.device_type AND medium = 32))];
Could you please help me understand why this is not working ?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform