AnsweredAssumed Answered

ESA Rule - replace user_src in Alert

Question asked by Bohdan Rylko on Aug 20, 2019
Latest reply on Aug 22, 2019 by Lee Kirkpatrick

I am creating EPL rule, where I want to take 2 type of events - one type has user.src and the second type has different identification of user in custom meta, for which I add user.src using a custom feed, but it can have also empty user.src if the feed doesn't match on it.

Then I need to group generated alerts into incident grouped by user.src.

 

The problem is that no incidents are generated for alerts having no user.src when I am grouping by user.src in the incident. Thus I want to use the custom meta (secondary user identification) in cases when user.src is empty.

 

I got to an idea to set user_src to value of custom meta in EPL in case when user_src doesn't exist, but I don't know how to achieve that. Is there any way how to do it?

 

I tried for example this:

SELECT *, coalesce(user_src,custom_meta_name,'UNKNOWN_USER') as user_src  FROM Event( some filters);

But that won't deploy, as user_src is returned twice in the result. Listing also all possible keys from Event instead of *, while replacing user_src with coalesce expression also doesn't sound like the best way.

 

Then I tried saving the result of SELECT to EventStream and update the user_src in EventStream (using UPDATE command) before using it to create event by SELECT * from EventStream, but that didn't reploy too (problem was in UPDATE command, it probably doesn't work in EPL like in SQL)

 

Any solution for this?

Outcomes