How do I look in the Named Windows of my ESA Rules
Once you start writing more complex ESA rules, it is useful to be able to see what values are being stored in named windows. Lee Kirkpatrick posted the following recently which will hopefully help a few people out.
All the following is done on an ESA.
Run the following command to open the esa-client:
When run, the following prompt will be displayed:
How many and what values exist in my window(s)?
Let’s say, for example, I created the following window in EPL:
CREATE WINDOW ActiveUsers.win:time(1 hour) (user_dst string);
INSERT INTO ActiveUsers
SELECT user_dst FROM Event(user_dst IS NOT NULL);
And wanted to know how many values are stored in the window, I can perform the following from the esa-client:
localhost:com.rsa.netwitness.esa:/CEP/Engine/windows>jmx-invoke getWindowSize --param ActiveUsers
If I wanted to see what these 2 values were, I could run the following:
localhost:com.rsa.netwitness.esa:/CEP/Engine/windows>jmx-invoke query --param "SELECT * FROM ActiveUsers"
- Community Thread
- Forum Thread
- named windows
- RSA NetWitness
- RSA NetWitness Platform
At the last week I met Nikolay Klender an he showed me some interesting ESA rule. I would like optimize it but my aircraft wait me for boarding to travel to warm country. 🙂
Could you look on rules below and maybe you have any ideas how those can use more usefull?
Nikolay Klender invented very useful behavior rules like:
- If volume of event abnormal increase a normal count of events - alert:
insert into CiscoDeviceEventPer5Second
select device_ip,msg_id, count(*) as cnt5sec
group by device_ip,msg_id;
select device_ip,msg_id, avg(cnt5sec) as avg60, cnt5sec as Count5
from CiscoDeviceEventPer5Second().win:time(60 seconds)
group by device_ip,msg_id
having avg(cnt5sec)>10 AND cnt5sec > avg(cnt5sec) * 10
output first every 15 min;
- an user have profile location/providers what he use to connect through VPN. If appear new location/provider and increase up to 97% of all connections from this user - alert:
create window loginProfileASN.win:keepall()
(login string,param string,value string,v_count long)
ON EVENT() e
MERGE loginProfileASN p
where p.login=e.login and p.value=(e.geoip('asn')).toString()
when not matched
then insert select login,'ASN' param, geoip('asn') value,1L v_count
then update set p.v_count = p.v_count+1
create window loginProfileTotal.win:keepall()
(login string,param string,total long)
ON EVENT() e
MERGE loginProfileTotal p
when not matched
then insert select login,'ASN' param, 1L total
then update set p.total = p.total+1
SELECT e.login,e.geoip('asn') asn, e.src_ip,
- v.v_count count,t.total, cast((100-100*v.v_count/t.total),int) score
FROM event().std:lastevent() e, loginProfileASN v,
where v.login=e.login and v.value=(e.geoip('asn')).toString()
and t.login = e.login
Not sure about 10.6.1 but in 10.6.2 you can check it as follows:
localhost:com.rsa.netwitness.esa:/CEP/Engine/cepWindows>jmx-invoke query --param "select * from CountEvent2"
"event_desc": "An account was successfully logged on.",
"starttime": "Fri Nov 11 10:00:20 UTC 2016",
"endtime": "Fri Nov 11 10:39:29 UTC 2016"
localhost:com.rsa.netwitness.esa:/CEP/Engine/cepEngine>jmx-invoke query --param "select * from CountEvent2"
Operation query invocation failed [No operation named 'query' in the current bean]