This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
Sachin
New Contributor
New Contributor
ā€Ž2021-03-05 12:16 AM

ESA Rule Creation

ESA question :

I have 2 events coming in  - 2 events are from different device type with different contents. both arriving within say 5-10 Minutes.
I need to create a rule that matches 5-10 minutes previous event from one device type with the real time event coming from other device type.

Any suggestions will be  helpful, Thanks in advance!

Labels (1)
Labels
0 Likes
Reply
2 Replies
AhmadJabr1
New Contributor
New Contributor
ā€Ž2021-03-07 05:57 AM

you can set the time in the rule for 15 min or more, and then set the first rule and use "followed by" the second rule,

 

but this could affect the Memory on the ESA server

 

0 Likes
Reply
lczerwonka
Occasional Contributor
Occasional Contributor
ā€Ž2021-03-08 07:19 AM

You can try with 'create window' in Advanced EPL

https://community.rsa.com/t5/rsa-netwitness-platform-online/alerting-example-advanced-epl-rules/ta-p...

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.