Example Advanced ESA Rule which shows suppression on multiple variables in the NetWitness Platform

Issue

A user wishes to have an ESA Rule that fulfills the following criteria:

Only one alert should be sent within a particular time frame.
The alert is based on two (or more) variables.

Tasks

In our example, we assume that we only want to be notified once per hour on unique ip_src and ip_dstport combinations from our Check Point firewalls logs.
In reality this would be a very chatty rule, but it is written to demonstrate the functionality and not as a real rule for a production environment.

Resolution

Create an Advanced Event Stream Analysis rule with the following content:

 module Module_564eeceae4b06807f34ebd2d;
 
 @RSAPersist
 
 @Name('Module_564eeceae4b06807f34ebd2d_Alert')
 
 @Description('')
 
 @RSAAlert(oneInSeconds=0)
 
 @Hint('reclaim_group_aged=10,reclaim_group_freq=30')
 
 SELECT ip_src, ip_dstport, device_type, ip_dst FROM Event(
 
 /* Statement: CheckPoint */
 
 (device_type IN ( 'checkpointfw1' ) AND ip_src is not null AND ip_dstport is not null AND ip_dst is not null)
 
 ).std:groupwin(ip_src,ip_dstport).win:time(3600 seconds).std:firstunique(ip_src,ip_dstport) retain-intersection

The rule does the following:

Group events into distinct ip_src and ip_dstport combinations.
Has a sliding window of 1 hour.
Only sends the first unique ip_src and ip_dst port combination.

The retain-intersection command ensures that only events matching ALL three of these criteria are forwarded.

For output suppression you can also add "output first every 30 min" to get the first event in 30 mins. eg

 @RSAAlert
 
SELECT window(*) FROM Event
 
(
 
device_type='snort'
 
AND ip_dstport=137
 
).win:time(60 sec)
 
GROUP BY ip_src
 
HAVING count(ip_dst) > 3
 
output first every 30 min;

Product Details

RSA Product Set: NetWitness
RSA Product/Service Type: Event Stream Analysis (ESA)

Approval Reviewer Queue

Technical approval queue