Hi All,
How do i apply/use "distinct" parameter in ESA rule format if i need to have an alert created for particular source connection ip only as per threshold time. I tried using unique parameter but it didn't suffice my requirement.
RSA SA version: 10.3.5
Need help.
Here is the syntax I use for suppressing events using the same operation id within 10,000 seconds
:
/*Module debug section. If this is empty then debugging is off.*/
/* EPL section. If there is no text here it means there were no statements. */
module Module_XYZ;
@Name('MODULE-XYZ')
@Description('Cool ESA Alert')
@RSAAlert(oneInSeconds=0)
SELECT * FROM pattern [every-distinct(a.operation_id, 10000 sec) (a=Event(device_type IN ( 'sampleDevice' ) AND operation_id is not null AND event_desc IN ( 'sample description' )))]