NetWitness Community

Anonymous · ‎2020-01-30

Hi All,

I have the following ESA rule.

SELECT * FROM Event((alert IS NOT NULL AND ((asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%bear%') OR (asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%spider%'))))

I want to be able to not trigger when an ip_dst is set.

eg. IF ALERT is like bear and ip_dst is not 128.0.0.1

I'm having a brain block on how to write the syntax.

Thanks.

JoshRandall · ‎2020-01-31

If you have multiple IPs, it would look like:

AND NOT ( ip_dst IN ( ‘128.0.0.1','128.0.0.2','etc…' ) )

If a single IP, you can do:

AND NOT (ip_dst = ‘128.0.0.1' )

Mr. Mongo

Anonymous · ‎2020-02-05

So something like this?

All these parenthesises make me dizzy.

SELECT * FROM Event(
(
alert IS NOT NULL AND (
(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%bear%')
OR
(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%spider%')
OR
(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%panda%')
)
AND NOT
(
ip_dst IN ('128.0.0.1')
)
)
)

JoshRandall · ‎2020-02-07

Yup. You'll just want to make sure you include the @RSAAlert annotation (assuming you want this rule to fire alerts), as well as the semi-colon after the very last right parenthesis to complete the statement. (I find using indents kinda helpful for managing all the nested parenthesis…even more helpful is a good text editor that'll do it for you and highlight pairs when you have them selected)

@RSAAlert

SELECT * FROM Event(

(

alert IS NOT NULL AND (

(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%bear%')

OR

(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%spider%')

OR

(asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%panda%')

)

AND NOT (

ip_dst IN ('128.0.0.1')

)

);

Mr. Mongo

NetWitness Community

Advanced ESA Rule help, filter out ip_dst