AnsweredAssumed Answered

Syntax Errors in Esper

Question asked by John Abinash Paul on Aug 19, 2019
Latest reply on Aug 20, 2019 by John Abinash Paul

Hi Friends,

 

I am getting Getting Error in when i try to deploy below Esper Rule in ESA "unknown method Collection.toLowerCase()"  .Can anyone Help?

 

This happened after upgrade from 11.x to 11.3.1.0

 

 

Snippet:

 

@RSAAlert(oneInSeconds=0)
@Hint('reclaim_group_aged=100')

SELECT * FROM Event(
/* Statement: symantecav */
(device_type .toLowerCase() IN ( 'symantecav' ) AND isOneOfIgnoreCase(action,{ 'left alone' }))
OR
/* Statement: Fireeye */
(device_type .toLowerCase() IN ( 'fireeyewebmps' ) AND msg_id IN('malware-callback'))
OR
/* Statement: Upload */
(service IN ( 21 ) OR (risk_info .toLowerCase() IN ( 'file transport over unknown protocol' ) AND tcp_dstport IN (80))

)).win:time(10 Minutes)
MATCH_RECOGNIZE (

MEASURES E1 as e1_data , E2 as e2_data, E3 as e3_data
PATTERN (E1 E2 E3 E3 E3 E3)
DEFINE
E1 as (E1.device_type .toLowerCase() IN ( 'symantecav' ) AND isOneOfIgnoreCase(E1.action,{ 'left alone' })),
E2 as (E2.device_type .toLowerCase() IN ( 'fireeyewebmps' ) AND E2.msg_id IN('malware-callback')AND E2.ip_src = E1.ip_src),
E3 as ((E2.service IN ( 21 ) OR (E3.risk_info .toLowerCase() IN ( 'file transport over unknown protocol' )AND E3.tcp_dstport IN (80))) AND E3.ip_src = E2.ip_src)
);

Outcomes