AnsweredAssumed Answered

Creating a simple ESA rule

Question asked by Jeremy Kerwin on Nov 24, 2019
Latest reply on Nov 26, 2019 by James Moon

Like • Show 0 Likes0
Comment • 4

Sorry for such a simple questioni

I had a simple ESA rule that was working prior to upgrading to 11.3.1.1. but now it's not triggering anymore and gives an error about in incorrect use of an OR clause or something to that effect

The rule basically goes.

If alert contains 'panda' OR 'bear' OR 'spider' AND IP address is not 128.0.0.1 then generate an alert and notify by email.

Rather than trying to troubleshoot the old rule, I'm happy to just create a new, working one. Could someone help me in how this would look in the rule builder?

Thanks.

No one else has this question

Outcomes

4 Replies

Dave Glover Nov 25, 2019 1:38 AM
Mark Correct
Correct Answer
Jeremy

You could do something like the following:

I added in your ip after this screen shot was taken

Which would then result in a rule that looks like this in the syntax

Hope that helps

Dave
Attachments
- image1.png45.7 KB
- image0.png43.4 KB
Like • Show 0 Likes0
Actions
- Jeremy Kerwin @ Dave Glover on Nov 25, 2019 4:41 PM
  Mark Correct
  Correct Answer
  Thanks Dave,
  It's still not triggering on my end. The sample you gave, does that mean that the alert has to be exactly what's in the rule (ie. panda, bear)?
  What I'm after if the alert contains those strings, like the alert is 'fancybear'.
  Like • Show 0 Likes0
  Actions
Jeremy Kerwin Nov 25, 2019 11:25 PM
Mark Correct
Correct Answer
Ahh, Looks like there is an actual problem with my ESA server, it's not triggering any alerts on even the simplest rules.
I've logged a called with RSA support
Like • Show 0 Likes0
Actions
- James Moon @ Jeremy Kerwin on Nov 27, 2019 7:12 PM
  Mark Correct
  Correct Answer
  In case others find it helpful, the issue was due to the current version(11.3.x) not supporting the use of Meta Entities(RSA NetWitness® Suite Unified Data Model Meta Entities) in ESA rules. There is an RFE, ASOC-60958, to support this but without a confirmed target version at present.
  
  Also, to match any values containing 'bear', an advanced EPL is required with a condition like below.
  (isOneOfIgnoreCase(alert,{ '%bear%' , 'panda' }))
  
  (asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%bear%')
  OR
  (asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%panda%')
  
  Thanks to Josh Randall for providing the syntax.
  
  Regards,
  James
  Like • Show 0 Likes0
  Actions

Creating a simple ESA rule

Outcomes

Attachments

Related Content

Recommended Content