[rules-users] Rule with temporal operators

Tue Jul 7 05:50:52 EDT 2009

global java.lang.String output

declare OMNewTicket
    @role( event )
    @timestamp (timeStampAttr)
    @expires (10m)
end 

# Find 'critical' events of 'Windows' which occured after 1minute but before
10 minutes
# of 'warning' events of 'Symantec' provided no 'Security' with severity
'normal' exist in between
rule "Sample Temporal"
no-loop true
when
	$ticket  : OMNewTicket($severity1 : severity == "warning",
					       appName == "Symantec",
					       $timeStampAttr1 : timeStampAttr)
	$ticket1 : OMNewTicket(this after[1m, 10m] $ticket,
						   severity == "critical",
						   $appName1 : appName == "Windows",
						   $timeStampAttr2 : timeStampAttr)
	not (OMNewTicket( timeStampAttr <= $timeStampAttr2,
					  timeStampAttr >= $timeStampAttr1,
		 			  appName == "Login_failure", severity == "normal"))
then
	drools.getWorkingMemory().setGlobal( "output", "found");
end

For the input :

e6382090-a259-71dd-12b9-92dfda160000    14178     10/25/2008:5:59:AM    
warning         Symantec                        Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000    14178     10/25/2008:6:00:AM    
warning        Login_failure                   Security  
28bdb2e0-a25a-71dd-1bc3-c01959f40000    14178     10/25/2008:6:05:AM    
critical           Windows                        Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000    14178     10/25/2008:10:04:AM   
normal         Login_failure                  Security
20f39930-a27d-71dd-0369-81f8b3ee0000    14178     10/25/2008:10:04:AM   
warning          Symantec                      Application
648d5010-a27c-71dd-1bc3-c01959f40000    14178     10/25/2008:10:05:AM   
critical            Windows                       Application  
8bcb9bb0-a32f-71dd-10c5-c01959dc0000    14179     10/26/2008:7:23:AM    
warning          Login_failure                  Security     
8882ee70-a331-71dd-1fbc-c0068f170000    14179     10/26/2008:7:37:AM    
warning           Symantec                       Application

I get the below output:

405000              405000              0                   warning            
Symantec            Sat Oct 25 05:59:00                     
406000              406000              0                   warning            
Login_failure        Sat Oct 25 06:00:00                     
407000              407000              0                   critical           
Windows                Sat Oct 25 06:05:00    found           
408000              408000              0                   normal             
Login_failure        Sat Oct 25 10:04:00                     
409000              409000              0                   warning            
Symantec            Sat Oct 25 10:04:00                     
410000              410000              0                   critical           
Windows                Sat Oct 25 10:05:00                     
411000              411000              0                   warning            
Login_failure        Sun Oct 26 07:23:00   found           
412000              412000              0                   warning            
Symantec            Sun Oct 26 07:37:00  

I use pseudo clock and I set the time in the third column(example
10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to
long.
I also adjust the clock accordingly.

My requirement is to get the those 'critical-windows' event which happens
after 1 to 10minutes of 'warning-Symantec' provided no
'normal-Login_Failure' between them.

Problem here is, I could not get convinced with the occurance of found in
row #7. Coz 'Login_failure' did not occur between 10minute interval of a
symantec and windows event. Also my intention is to identify the windows
event.
-- 
View this message in context: http://www.nabble.com/Rule-with-temporal-operators-tp24370166p24370166.html
Sent from the drools - user mailing list archive at Nabble.com.