I intend to create an alert in ESA in which the statement condition is based on action meta.
what I'm looking for is to get this alert triggered for this event:
Given a specific device type and whenever a user initiate an action statement like:
action meta: select * from tablespace
given that action key is by default of type array.
How can I achieve this condition in ESA given if I use the reporting engine I also cannot rely on contains for this statement.
your counsel is highly appreciated.
- Community Thread
- ESA Rule
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
This needs to be implemented in an advanced ESA rule right?
is it possible to make it in basic ESA rule or Netwitness alert just to get going until I'm properly versed in EPL.
I believe this command is to be used in an advanced ESA rule:
SELECT * FROM Event WHERE action.anyOf(i => i.contains("This is your value to query"))
Can you provide something similar to use in a basic ESA rule and in Netwitness/Warehouse rule for SA 10.4.
For a contains search against the array fields you can only use advanced EPL at the moment, the basic rule builder won't work for this, yet.
If you want to perform a contains search within NetWitness, you can just utilise the contains operator:
alias.host contains 'your value'
For the warehouse where clause:
array_contains(alias_host, 'your value')
SELECT * FROM Event WHERE action.anyOf(i => i.toLowerCase().contains("monitor") and device_type IN ('ciscosecureacs'))
I create rule with the above statement, but it is not working and found a error log in ESA as below
"Expected array-type input from property 'action' but received class java.util.Vector"