Need help in creating a rule under ESA for new device discovery.
For example: Any new device which gets integrated with RSA SA i should get this alert.
i have created a rule for this but its not working as expected.
Could you share the actual rule text?
Hello, can you try to use an advanced EPL rule like:
module Module_insert_device;@RSAPersistCREATE WINDOW list_device.std:unique(device_ip).win:time(30 days) (event_source_id string, time long, sessionid long, lc_cid string, medium short, device_ip string, eventCount long);
@Name('insert')ON Event ( medium = 32 AND device_ip IS NOT NULL) AS W1MERGE list_device as W2WHERE (W1.device_ip = W2.device_ip)WHEN matchedTHEN UPDATE SET eventCount = eventCount + 1WHEN NOT MATCHEDTHEN INSERTSELECT event_source_id, time, sessionid, lc_cid , medium, device_ip, 1L as eventCount;
/* uncomment after learning phase@Name('Module_Alert')@RSAAlertSELECT *FROM list_device (eventCount = 1);*/
I hope to have helped you
Retrieving data ...