This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Filtering a false positive from an ESA alert

Go to solution
Anonymous
Not applicable

‎2017-11-21 04:27 AM

Hi, 

I've setup an ESA alert to trigger when a meta in 'alert' is generated and matches a certain string.

I'd like to be able to filter false positives based on a ip.dst value.

I thought I had it figured out by adding another condition that states if ip.dst is not a certain value, but it still seems to be triggering.

Updated ESA rule has been deployed.

 

Any hints on where to look?

Thanks,

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
robertofasciani
Beginner
Beginner
In response to Anonymous

‎2017-11-23 03:27 AM

You should try:

ip_dst NOT IN ('1.2.3.4','1.2.3.5')

View solution in original post

0 Likes
6 REPLIES 6

Go to solution
EricPartington
Employee
Employee

‎2017-11-21 11:16 AM

can you post the raw text of the ESA alert to take a look at?

0 Likes

Go to solution
Anonymous
Not applicable
In response to EricPartington

‎2017-11-21 05:14 PM

Here is the text, I've redacted the components that are internal only.

------------


/* EPL section. If there is no text here it means there were no statements. */

module Module_573b9327e4b0b1e0a26b2315;




@Name('Module_573b9327e4b0b1e0a26b2315_Alert')
@Description('Alerts when a new Intel Alert comes in')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(
/* Statement: Crowdstrike Alert */
(alert.toLowerCase() LIKE '%string1%' OR alert.toLowerCase() LIKE '%string2%' OR alert.toLowerCase() LIKE '%string3%' OR alert.toLowerCase() LIKE '%string4%' OR alert.toLowerCase() LIKE '%string5%' OR alert.toLowerCase() LIKE '%string6%')
AND
/* Statement: False Positive filtering */
(ip_dst.toLowerCase() NOT IN ( '1.2.3.4' ) OR ip_dst.toLowerCase() NOT IN ( '1.2.3.5' ))

)



;

0 Likes

Go to solution
robertofasciani
Beginner
Beginner
In response to Anonymous

‎2017-11-22 03:02 AM

Hello Jeremy,

I have a question, is alert a multi-valued meta keys?

In this case you should use cast or matchLike to trigger an event.

Ex (Version 10.6.4+):

@RSAAlert
SELECT * FROM Event(
(matchLike(alert, ‘%string1%’) OR matchLike(alert, ‘%string2%’))
AND ip_dst NOT IN ('1.2.3.4','1.2.3.5')
)
;

0 Likes

Go to solution
Anonymous
Not applicable
In response to robertofasciani

‎2017-11-22 05:57 PM

Yes, the alert can be a number of different strings based on threat actor.

 

the alert works fine. it's the filtering out of false positives based on destination IP address is the part that doesn't work.

0 Likes

Go to solution
robertofasciani
Beginner
Beginner
In response to Anonymous

‎2017-11-23 03:27 AM

You should try:

ip_dst NOT IN ('1.2.3.4','1.2.3.5')

0 Likes

Go to solution
Anonymous
Not applicable
In response to robertofasciani

‎2017-11-26 05:35 PM

Yep, that appears to have the effect I'm looking for.

Thanks so much.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.