Karim Benzina

Detect a loss of logs from a device IP

Discussion created by Karim Benzina on Dec 13, 2016

Hi,

 I tried ESA rule template example which detects sudden loss of traffic from sadocs ESA documentation.

https://sadocs.emc.com/0_en-us/088_SA106/50_Alrt/30_AddRulesLib/20_WrtAdvEPLRl/20_SmpAdvRl

 

Unfortunally, it does not work in my environement. Here is the EPL :SELECT * FROM pattern [every a = Event(device_ip IN ('IP_X1','IP_X2') AND medium = 32) -> (timer:interval(3600 seconds) AND NOT Event(device_ip = a.device_ip AND device_type = a.device_type AND medium = 32))];

 

Could you please help me understand why this is not working ? 

Outcomes