This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Alerting Meta Value - APP Rule - Seems to get pretty large

ChrisIchelson
Occasional Contributor
Occasional Contributor

‎2021-10-15 09:20 AM

Does anyone have experience with best practices around either building APP Rules as a "Whitelist" or assigning a List to an APP Rule for whitelisting purposes.  We get an abundance of alerts for Powershell for example, well many of these param.src / param.dst statements within the meta or other meta within need to be whitelisted from the rule to stop firing or addressed this at the ESA level.  More or less though, historically we have adjusted the meta to by adding && statements.  Seems like this is a battle which we are not winning since the lists now get so large.  Does anyone have any feedback or similar instances like this? 

1 REPLY 1

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2021-10-27 11:39 AM

For whitelisting in ESA you could also create an enrichment feed and list your white listed elements in there vs an app rule.  I would need to see an example of what you are trying to do, to better assist.  You can reach out to my directly at my first.last@rsa.com

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.