AnsweredAssumed Answered

ESA - correlating 3 events into 1 alert with input from one of the events?

Question asked by Vladimir Previn on Feb 11, 2017
Latest reply on Feb 27, 2017 by Vladimir Previn

esa question - 2 events by reference id in 3 mins (1 log type) (one of these has a checksum), then by checksum from this in another type.



ESA question -

  •    ( log type 1) have 2 events - 2 events for this log device with different contents. both arriving within say 0-10s (one of these has a checksum,order of arrival of 2 events for log type 1 is not fixed when they arrive within 0s), want to match these by checksum to second log type.
  •    ( log type 2) arriving up to 30m later. (also has the checksum meta

want to:

  •  produce an ESA alert with all 3 events
  • match the first two events (log type 1) by, and (keeping in mind the order of arrival for log type type 1 is not fixed)
  • the second (log type 2)by the checksum from one of the first events (definitely later than the two say 10-40m)
  • ideally: check some of the meta in the 3 events to decide if to alert at all.   (both of these type are low volume - say 10k messages/day)(extra bonus points for checking the array of strings meta for count of those or specific ones) 


Doable with Rule builder or EPL only? issues with time windows (two time windows,the second one a bit long)? issues with looking up the second event type by checksum from first?

Can anyone help with the syntax (use abstract device names and meta key names dt1,dt2, dt1e1,dt2e2,dt2e3, mkStr1



bit more info:

device type 1 (dt1):

 - dt1nm - network meta messages 

 - dt1fm - file meta messages (have some checksum meta , and let's some and some numeric and string meta keys)

 - linked by reference_id

 - these are emmited and arrive within 30s (actually usually within the same second if not max 5 i suppose) 

 - unfortunately the order these arrive is is not fixed when within the same second [sometimes event 0 seems to be dt1nm, sometimes dt1fm)

 - ideally want to factor in some of the meta (want to if on a few attributes say ip_src \ ip_dst and some of the numeric and string+ string array meta keys)


device type 2 (dt2)

 - dt2fm - file meta and the also the checksum meta but also some a few number, array of strings and string meta keys. 



ps already registered for the 3 RSA university free EPL/ESA modules (but not sure if the syntax changed for 10.6.2+)

but thought I'd ask if this is possible via the UI and or any issues with the time window? or any other caveats