AnsweredAssumed Answered

ESA Rule - event A not preceded by event B

Question asked by Tamas Szilagyi on Jan 10, 2020
Latest reply on Jan 17, 2020 by Josh Randall

Hi, I have a case when I want to create an alert for a specific event only if another event did not preceded that specific event. To give more context: if an email gateway 'reputation' event happened for an IP, the firewall alert rule for that same IP should not trigger. Or, looking from the other way around, the firewall rule should only trigger if there weren't any email gateway 'reputation' events before for the same IP.

 

I used the Esper reference - event patterns docs and found this:


A pattern that takes all A events that are not preceded by B within 5 minutes:

every (timer:interval(5 min) and not B -> A)

So I wrote a rule like that:

 

SELECT * FROM PATTERN [Every (
          timer:interval(1 min)
          AND NOT
          B=Event(
          device_type.toLowerCase() IN ( 'email_gateway' )
          AND
          result.toLowerCase() IN ( 'reputation' )
          )
          ->
          A=Event(
          device_class.toLowerCase() IN ( 'firewall' )
          AND
          ip_src = B.ip_src
          AND
          isOneOfIgnoreCase(action,{ 'accept' })
          )
     )
];

 

The syntax is valid, but the alerts did not trigger.

What could be the issue?

 

Edit: small addition, NW version 11.2.

Outcomes