UPDATE: I added some comments in my code to make it a bit clearer.

I recently started working with OSISoft’s PI ACE for use in the Portaledge project. Kevin and I put together a sample Meta-Event involving snort events, a key logger and uploading new firmware to a PLC. The code below is an example of an ACE library that will run every 5 minutes and iterate through the past 15 minutes of data. Due to the nested for loops, this may not be the most efficient method but it works as a proof-of-concept.

Public Overrides Sub ACECalculations()
Dim Syslog_PtOneValue, Syslog_PtTwoValue, WEL_PtOneValue, WEL_PtTwoValue As PIValue
Dim Syslog_PtOneValArray, Syslog_PtTwoValArray, WEL_PtOneValArray, WEL_PtTwoValArray As PIValues
Dim AttackIP As String

Syslog_PtOneValArray = Syslog22.Values("*-15m", "*", 0)  `See Rem 1
For Each Syslog_PtOneValue In Syslog_PtOneValArray  `See Rem 2
  If StrMatch(Syslog_PtOneValue.Value, "NMAP Scan") Then `See Rem 3
    AttackIP = GetIP(Syslog_PtOneValue.Value) `See Rem 4
    WEL_PtOneValArray = WEL_22.Values(Syslog_PtOneValue.TimeStamp, "*", 0)
    For Each WEL_PtOneValue In WEL_PtOneValArray `See Rem 5
      If StrMatch(WEL_PtOneValue.Value, AttackIP, "Xwin Login", "|") Then `See Rem 6
        Syslog_PtTwoValArray = Syslog22.Values(WEL_PtOneValue.TimeStamp, "*", 0)
        For Each Syslog_PtTwoValue In Syslog_PtTwoValArray `See Rem 7
          If StrMatch(Syslog_PtTwoValue.Value, AttackIP, "CorpNet to FEP") Then `See Rem 8
            WEL_PtTwoValArray = WEL_22.Values(Syslog_PtTwoValue.TimeStamp, "*", 0)
            For Each WEL_PtTwoValue In WEL_PtTwoValArray `See Rem 9
              If StrMatch(WEL_PtTwoValue.Value, "", "Firmware Upload", "|") Then
                PortaledgeTemplate_Alert.Value = "Portaledge MetaEvent Detected" `See Rem 10

`Rem 1: Set the syslog point array variable equal to the last 15 minutes worth of data from the syslog interface
`Rem 2: Iterate through the last 15 minutes of syslog data
`Rem 3: If the last 15 minutes of syslog data contained “NMAP Scan”, continue looking for more events in the meta-event
`Rem 4: Extract the Attacker’s IP Address from the syslog message
`Rem 5: Iterate through the Windows Event Log starting at the syslog’s “NMAP Scan” time stamp to the current time
`Rem 6: If the Windows Event Log contained “Xwin Login”, continue looking for more events in the meta-event
`Rem 7: Iterate through the syslog data starting at the Windows Event Log “Xwin Login” time stamp to the current time
`Rem 8: If the syslog data contained “CorpNet to FEP”, continue looking for more events in the meta-event
`Rem 9: Iterate through the Windows Event Log starting at the syslog’s “CorpNet to FEP” time stamp to the current time
`Rem 10: If the Windows Event Log contained “Fireware Upload”, then set the Alert to “Portaledge MetaEvent Detected”

I am going to look into triggering ACE libraries from events, allowing one ACE library to trigger another ACE library. On the plus side, stacked libraries can use more generic code and will permit increased levels of severity. Negative aspects to stacked libraries include increased initialization time, additional complexity and libraries not being initialized. I will be talking with a few people from OSIsoft to determine the most efficient path. Stay tuned.