This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

can decoder app rule or network rule using list?

Go to solution
huanzhou1
Beginner
Beginner

‎2013-12-24 01:17 PM

can decoder app rule or network rule using list?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-12-26 12:50 PM

Yes, with limitations.  To denote a list in a rule, simply separate your values with commas.  For instance, I have a list of malicious domains I want to alert against.  It would be alias.host=xyz.com,xyz.org,xyz.il,xyz.biz

 

The limitations come into play when you try to use too many values in your list.  Or when you try to do contains or begins statements for your rule.

 

If you have more than 10 values, I'd suggest you craft a custom feed and query against the feed name.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-12-26 12:50 PM

Yes, with limitations.  To denote a list in a rule, simply separate your values with commas.  For instance, I have a list of malicious domains I want to alert against.  It would be alias.host=xyz.com,xyz.org,xyz.il,xyz.biz

 

The limitations come into play when you try to use too many values in your list.  Or when you try to do contains or begins statements for your rule.

 

If you have more than 10 values, I'd suggest you craft a custom feed and query against the feed name.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2013-12-26 01:31 PM

how should i do that use feed name?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2013-12-26 01:53 PM

You would use the feed wizard to load your custom feed.  Then your rule would be feed.name exists, or whatever other logic you are trying to query against.  See the help file for managing local feeds.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.