This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
ShahnawazKohati
New Contributor
New Contributor
‎2017-08-24 12:12 PM

Want to make a rule under ESA for new device discovery

Need help in creating a rule under ESA for new device discovery.

For example: Any new device which gets integrated with RSA SA i should get this alert.

 

i have created a rule for this but its not working as expected.

0 Likes
Reply
2 Replies
MichaelSconzo
Employee
Employee
‎2017-08-24 02:02 PM

Could you share the actual rule text?

0 Likes
Reply
robertofasciani
Beginner
Beginner
‎2017-08-25 02:56 AM

Hello, can you try to use an advanced EPL rule like:

 

module Module_insert_device;
@RSAPersist
CREATE WINDOW list_device.std:unique(device_ip).win:time(30 days) (event_source_id string, time long, sessionid long, lc_cid string, medium short, device_ip string, eventCount long);

@Name('insert')
ON Event ( medium = 32 AND device_ip IS NOT NULL) AS W1
MERGE list_device as W2
WHERE (W1.device_ip = W2.device_ip)
WHEN matched
THEN UPDATE SET eventCount = eventCount + 1
WHEN NOT MATCHED
THEN INSERT
SELECT event_source_id, time, sessionid, lc_cid , medium, device_ip, 1L as eventCount;

/* uncomment after learning phase
@Name('Module_Alert')
@RSAAlert
SELECT *
FROM list_device (eventCount = 1);
*/

 

I hope to have helped you

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.