Is it possible to have a rule wait?
Let's say we have two differents received by ESM in the following order:
We need to fire on event 1 if we do not see event 2 within the next minute or so. Is there are way to accomplish this? Thank you for your thoughts
When you create 2 events in the rule it will show a
>< Matching Event join at the top of the rule indicating that both conditions must be met
If you right click on the Join it will give you an option to set the time interval for the two events.
You want to look at the "On time window expiration" in the action section of the rule. this will be used when you setup an joined which is not for filled in the defined time.
Hi Dave, thank you for your reply. For joint events, Event 2 should be present as well in order to trigger it. But in my scenario, we want to trigger if event 2 does not arrive.
I just tried the "On time window expiration", it does work. However, it seems that the generated correlation event does not include the base events. Any ideas?
I had a similar situation.
My approach uses active list.
On the article of event 1, I add.
On the arrival of the event 2 I sanitize the row.
If the timeout of the active list kick the event 1 row, then I have the situation.
My problem was a lit the bit more complex since the time frame larger for using just rules thresholds, and the arrival is event 1 and 2 may permute.
Would that work for you?
Hi Ludovico, thanks for your reply. How do you fire a rule on Active List entry expiration? I thought rules only fires on events. Are you saying Active List entry expiration will generate an event and the rule can capture that triggered event?
That is correct.
Check for events matching either one or both:
- Device Event Class ID = activelist:104
- Device Event Category = /ActiveList/Expire
- End Time
- File Name = <the name of your active list>
- File Path = <the path of your active list>
- Device Custom Date 1.Creation Time
- Device Custom Number1.Count = <the same value as the "count" column on your active list>
- Device Custom String 4.Entry Value = <this is the most important field since it has everything that was on your Active List Row. >
You must be aware that you may need to parse the "Custom String 4" in order to get the fields that were on the row.
Each value has the delimiter "|".
My advice is to choose wisely what are the first columns on your Active List so you can ease this parsing.
Let me know if you have further doubts.
Hi Ludovico, thank you for your detailed reply again. My problem is that by using this approach, it will not be triggered on the original event 1. When we are processing events, our analyst need to attach the correlated event to a case. In a normal scenario, a correlated event along with the base events that triggered the correlated event are all attached to the case. However, in this scenario, the correlated event and the triggering event which is actually the Active List entry expire event will be attached to the case, not necessarily the original Event 1, and our analyst will have to go through a few hoops to get to the original event, this is the tricky part.