I would like to create ESA alert based on below logic. Can any one assist me to create it.
Alert should tiger if value of two meta is not same for the same events/session.
metaA != metaB
You'll need to create an Advanced Rule to accomplish this, and you'll also need to know the type of the meta keys you want to compare, specifically if either/both of the keys are Strings (string) or StringArray (string) types.
If both keys are string type metas, then your comparison will be quite simple, and almost exactly as you have written it in your question. Example:
@RSAAlertSELECT * FROM Event( medium IN ( 32 ) AND device_type IN ( 'winevent_nic' ) AND user_src IS NOT NULL AND user_dst IS NOT NULL AND (Event.user_src != Event.user_dst) );
If either of the keys is a string type meta, though, you'll start to run into problems (even more so if both keys are string). This is because, in comparing 'a' to ['a', 'b', 'c'] --> even though 'a' != 'b' and 'a' != 'c' (which you do want to alert on), 'a' = 'a' which means your comparison of these different values would end up not alerting.
Even though it's probably not going to be useful as an actual alert, the syntax might still be helpful, so here's an example of what this kind of rule might look like:
@RSAAlertSELECT * FROM Event( medium IN ( 32 ) AND device_type IN ( 'winevent_nic' ) AND user_src IS NOT NULL AND email_src IS NOT NULL AND (Event.user_src != ANY(Event.email_src)) );
The are ways around this, but the alert rule would need to be much more complex.
Thanks a lot.
i have created alert and it is working fine.
Retrieving data ...