This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to add watchlist and cache variables in ESA Basic rule builder ?

RSAAdmin
Beginner
Beginner

‎2015-02-25 12:13 AM

Hi

 

I need to create correlation rule in ESA .I need to add watchlist to filter out some Ip range and also to set cache variables for correlation.

How to achieve this in ESA Basic rule Editor ?

 


0 Likes
4 REPLIES 4

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2015-02-25 04:33 AM

Hey shanthi_t02,

 

For your watchlist, you could look into creating a custom feed to tag your IP's at the Decoder level:

 

Create a Custom Feed - RSA Security Analytics Documentation

 

Then you could simply apply logic in your ESA rule to say !='MyCustomFeedMeta'.

 

 

For your cache variables it would help to understand the logic of the rule you want to create.

0 Likes

RSAAdmin
Beginner
Beginner
In response to LeeKirkpatrick

‎2015-02-25 07:14 AM

Hi Patrick,

 

Thanks for the reply

 

Can we apply the custom feeds to multiple decoder ? And how we  create custom feeds if the watchlist contains "regex".

 

Here is the logic for the cache variables

 

Two statements

 

The first statement captures log from an specific event category filtered based on action.

 

and the second statement captures specific event id  and filter  events based on cached source and action.

0 Likes

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to RSAAdmin

‎2015-02-25 09:00 AM

Feeds can be applied to as many as many Decoders as you like, unfortunately you cannot use REGEX in Feeds though.

 

I would add the two Meta fields into the "Group By" field on the basic rule builder to then group based on x number of the same instances being seen.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2015-02-25 01:49 PM

you can create an app rule on each decoder with a regex.

you can create the app rule to say for example

 

Apprulename=regex_test

user regex {regex expression}

 

and then select the alert on (select the metakey you want the alert to be on) for example on the meta alert

then on the ESA just look for the tag alert=regex_test

 

On the other question you can combine statements for example in one statement set the device type

the second statement the msg id

and so on....

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.