This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA Rules & Event Sources

Go to solution
AntonioTeixeira
Beginner
Beginner

‎2018-10-25 05:16 AM

Hi! Is there any type of document that explains the type of event source necessary for each ESA Rule? Example: for the "Web DoS Alert" rule the necessary or recommended event source would be a Firewall or a Router

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2018-10-25 08:49 AM

Hi Antonio,

 

Basically it depends on the type & purpose of the Alert that you are planning to create.

 

For example, if I want to detect 'Lateral movement of infection' - First thing I will check if any Antivirus event source is sending logs to NW,

   >   then I will check what type of events Antivirus machine is sending,

   >   then I will check if those collected logs have the (infection/virus) & affected host information that I need,

   >   then I will check in which meta is that infection & affected host machine information is showing up.

   >   then my alert will consist of ((device.class = 'antivirus' OR device.class = 'symanecav') AND virusname exists AND host.src exists. Just an example.

 

Hope it helps.

Thanks
Mohammed Mustafa

View solution in original post

0 Likes
1 REPLY 1

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2018-10-25 08:49 AM

Hi Antonio,

 

Basically it depends on the type & purpose of the Alert that you are planning to create.

 

For example, if I want to detect 'Lateral movement of infection' - First thing I will check if any Antivirus event source is sending logs to NW,

   >   then I will check what type of events Antivirus machine is sending,

   >   then I will check if those collected logs have the (infection/virus) & affected host information that I need,

   >   then I will check in which meta is that infection & affected host machine information is showing up.

   >   then my alert will consist of ((device.class = 'antivirus' OR device.class = 'symanecav') AND virusname exists AND host.src exists. Just an example.

 

Hope it helps.

Thanks
Mohammed Mustafa
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.