Want to make a rule under ESA for new device discovery
Need help in creating a rule under ESA for new device discovery.
For example: Any new device which gets integrated with RSA SA i should get this alert.
i have created a rule for this but its not working as expected.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Hello, can you try to use an advanced EPL rule like:
CREATE WINDOW list_device.std:unique(device_ip).win:time(30 days) (event_source_id string, time long, sessionid long, lc_cid string, medium short, device_ip string, eventCount long);
ON Event ( medium = 32 AND device_ip IS NOT NULL) AS W1
MERGE list_device as W2
WHERE (W1.device_ip = W2.device_ip)
THEN UPDATE SET eventCount = eventCount + 1
WHEN NOT MATCHED
SELECT event_source_id, time, sessionid, lc_cid , medium, device_ip, 1L as eventCount;
/* uncomment after learning phase
FROM list_device (eventCount = 1);
I hope to have helped you