I am attempting to get this alert working to detect when a client sites VLC stops sending logs or something wrong just happens.
The rule is similar to the no log traffic found from device. I have the time set very low currently for testing but the alert never seems to want to populate. I am clearly doing something wrong or lc_cid is not actually passed to ESA.
SELECT * FROM pattern
[every a = Event(
(lc_cid.toLowerCase() IN ('devicename')) and medium = 32)
-> (timer:interval(60 seconds) and not Event((lc_cid.toLowerCase() = a.lc_cid.toLowerCase()) and medium = 32))];