How to build ESA Alert for the Virus Outbreak
I am building virus outbreak alert i.e. "A single virus hitting multiple IPs or hosts in a particular moment of time" through rule builder but failed to get alert to trigger, I think making mistake in rule building.
Can anyone tell how to build it in rule builder or in Advanced EPL.
I see you haven't had any responses to this question as yet, were you able to get your virus outbreak alert configured?
RSA Social Engagement Manager
I was trying to build this rule on esa. I haven't got any answer on this yet.
While cresting this rule I want to store the different IPs for single Virus in rule builder but failed to do so.
Hi paste the following into an advanced ESA Rule:
SELECT * FROM Event(
/* Statement: Virus Found */
(virusname IS NOT NULL AND ip_src IS NOT NULL)
).std:groupwin(ip_src,virusname).win:time(3600 seconds).std:firstunique(ip_src,virusname) retain-intersection
This will output the first unique values of each Virusname and IP src pair. If the same Virusname and IP_SRC combination occur within an hour (3600 seconds) then it will be suppressed.
It's a lot more complicate to get a list of IP_SRC addresses for each Virusname. This would require more advanced Esper programming. The rule above will alert you whenever a new (or within the last 3600 seconds) a new virusname and ip_src is seen.