How can I write a rule w/reference ID 4741 FOLLOWED BY reference ID 5139?
I was able to complete this in the Rule Builder section of the UI. I have posted screen shots below for comparison. Please note this was built in 11.3.1.
Access your rule library (Configure > ESA Rules > Rule Library) and add a new rule ('+' icon, click on Rule Builder).
Give your rule a pertinent name
Keep Trial Rule selected - RSA best practice
In your Conditions, create two statements:
Statement 1: I set the name as Event ID 4741 (use whatever you want), select if all conditions are met and enter the following for your meta conditions: reference_id is 4741, add a second meta condition and enter ec_outcome is Success, click Save
Statement 2: I set the name as Event ID 5139 (again, use whatever you want), select if all conditions are met and enter the following for your meta condition: reference_id is 5139, click Save. I did not add an ec_outcome (event outcome) to the second statement as the alert would then only fire when there was a successful computer account created followed by a successful object move. You may want to consider this based on your environment.
Once you are back in the main Rule Builder screen, on the first statement, there is a heading labeled Connector. Click in the box and select followed by
New options will appear below your Conditions. You'll have a Group By and Occurs Within. For purposes of building this, I grouped by the first meta condition of reference_id and then set a time window of 5 minutes, however, this value is subject to what makes sense for your environment. In the Event Sequence, I set the value to Strict.
Once this is complete, click on Show Syntax - this will let you know if there are any errors in the rule being built.
This is the syntax for the rule that I just created:
/* This basic template is a placeholder for defining basic EPL content that can be installed and executed in ESA. The sample below is the minimum that would be required to get started. Version: 5*/
/*Module debug section. If this is empty then debugging is off.*/
/* EPL section. If there is no text here it means there were no statements. */
@Name('Module_5d4c8873e4b07de398f298bc_Alert') @Description('') @RSAAlert(oneInSeconds=0)
SELECT * FROM Event( /* Statement: Event ID 4741 */ (reference_id IN ( '4741' ) AND ec_outcome IN ( 'Success' )) OR /* Statement: Event ID 5139 */ (reference_id IN ( '5139' )) ).win:time(5 Minutes) MATCH_RECOGNIZE ( PARTITION BY reference_id MEASURES E1 as e1_data , E2 as e2_data PATTERN (E1 E2) DEFINE E1 as (E1.reference_id IN ( '4741' ) AND E1.ec_outcome IN ( 'Success' )), E2 as (E2.reference_id IN ( '5139' )) );
Lastly, you can configure notifications for the alert outside of any incident rules which may already cover Windows Event alerts. You have four notification options - Email, SNMP, Syslog and a Script. You would need to have these already configured under Admin > System > Global Notifications.
Once you are done, click Save and you're ready to deploy the rule to your ESA! This will give you a place to start and can follow up with any tuning as the alerts start firing.
Let us know if you have any questions!
Sales Engineer - NetWitness
Retrieving data ...