Looking for some help with an EPL rule.
The goal is to detect when a single client requests more than 275 unique A records for hosts in my AD domain within 5 minutes. The custom meta key dns_qtype is populated by an app rule that acts on logs produced by our name servers.
@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
)
This expression matches all of the events (DNS A record queries for domain.local). What I don't know is how to achieve the threshold and grouping by source IP with only unique alias_host values (ie what combination of views is required). Note that alias_host is an array as well - I'm not sure if that changes the behavior of std:unique.
I've tried this a few different ways and none of them have worked - would appreciate some assistance.
Hi Craig,
Try this out. I tested it with some log sample at my end.
@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
).std:groupwin(ip_src).win:time_length_batch(5 minutes, 275).std:unique(alias_host)
group by ip_src
having count(*) = 275
;