Visham Rawat

Unable to deploy ESA rule

Discussion created by Visham Rawat on Jan 30, 2020
Latest reply on Jan 31, 2020 by Visham Rawat

I get the following error while deploying the rule. I've check the syntax and it says rule is valid.

 

ESA was unable to deploy one or more rules, and these rules were disabled. Common issues include: missing metadata, invalid rule syntax, and unavailable external connections at the time of deployment.

 

Following is the rule logic used. I'm not sure what the problem is.

 

/*
 This basic template is a placeholder for defining basic EPL content that can be
 installed and executed in ESA. The sample below is the minimum that would be
 required to get started.
 Version:  5
*/
/*
Module debug section. If this is empty then debugging is off.
*/

/* EPL section. If there is no text here it means there were no statements. */

    module Module_c487ee49_24d6_4676_80af_94bdcdc59d6b;        
        @Name('Module_c487ee49_24d6_4676_80af_94bdcdc59d6b_Alert')
        @Description('')
        @RSAAlert(oneInSeconds=0)

        SELECT * FROM Event
        (
            /* Statement: Repeated Uniform Bytes to Domains */
            (domain_dst IS NOT NULL
             AND bytes_src IS NOT NULL)
        )
        .std:unique(domain_dst)
        .std:groupwin(bytes_src)
        .win:time_length_batch(5 Minutes, 100)
        GROUP BY bytes_src
        HAVING COUNT(*) >= 100;

Outcomes