Hi all,
I have some ESA rules that are firing alerts, the weird thing is that, if i try to look at the alerts details, it says that there are 0 events and so i'm not able to see metas nor investigate the events that caused the alert.
Could anyone give some clue?
I'm also attaching a couple of screenshots.
Thanks in advance,
Andrea
Hi Andy,
i have the same behaviour with both basic and advanced rules and i'm not using time windows.
I've also tried a very very simple rule with a single statement "threat.category=suspicious" that is firing alerts but does not return any event in the details.
Hi!
Did you have chance to resolve this issue? I'm currently having the same problem.
Regards.
on Apr 9, 2015
Is this an advanced rule or a basic one?
I've had similar problems with advanced rule where the alert trigger is a based on something like a time window...
create window CountTable.win:length(10)....
insert into CountTable select time, sessionid, event_source_id, + the fields you actually want
@RSAAlert(oneInSeconds=0) select time, sessionid, event_source_id, + fields you actually want from CountTable