Esper's Event Processing Language (EPL) can be a little daunting upon first glance, but the basic principles are surprisingly quick and easy to pick up – and from these basic principles it is possible to produce a wide variety of use cases.
The document attached to this post is an overview of those basic principles that will help in creating advanced EPL rules in NetWitness. I personally use it as an aide-mémoire for when I cannot remember the correct syntax for what I want to create; I hope you will all find it as valuable as I do.