AnsweredAssumed Answered

Alert based on unique meta key value count

Question asked by Michael Pochan on Mar 16, 2017
Latest reply on Aug 12, 2020 by Matthew McHann

Is there a way to alert on the number of unique meta key values associated with a session for a particular meta key (without using ESA or reports)? This is for Netwitness packets 10.6.2. 


A simple use case would be: 


mass spam alert = emailfrom ends '' && uniq-count of emailto > 500


This is simplistic, but we're looking for a way to detect mass outbound smtp messages. I haven't seen a way with app rules to count the number of unique meta values for a particular key and assume we can do this with an advanced esper query, but wanted to see if there was a way to perform this on the packet decoders themselves.