This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to call threat feed based app-rule in ESA rule

Go to solution
UtsavSejpal
Beginner
Beginner

‎2017-06-12 09:49 PM

Hi Folks,

 

We have setup app rule by following the below document: 

 

https://community.rsa.com/community/products/netwitness/blog/2017/04/04/feed-mecisco-threatgrid-intelligence-feeds 

 

We also see logs with below meta in the investigation tab (because of app-rule): 

 

threat.source = 'cisco amp threatgrid'

 

My questions is that can we use this meta value in ESA rule? I have tried to configure the one but doesn't seem to be working (not getting triggered).  Any pointers??

Thanks in advance,

Utsav Sejpal

Preview file
86 KB
Preview file
58 KB
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
SravanKoneti1
Beginner
Beginner
In response to UtsavSejpal

‎2017-06-13 12:13 AM

Hi Utsav,

 

App rule responsible for generating the meta value only.

 

I believe, typo is single quote (') around the threatgrid meta value. Please try event.threat_source contains threatgrid

View solution in original post

6 REPLIES 6

Go to solution
SravanKoneti1
Beginner
Beginner

‎2017-06-12 10:38 PM

Hi Utsav,

 

Can you try event.threat_source contains 'threatgrid'

I have come across this ESA contains operator value doesn't accept "space".

Go to solution
UtsavSejpal
Beginner
Beginner
In response to SravanKoneti1

‎2017-06-12 11:46 PM

Hi Sravan Koneti‌,

 

Thanks for your input. I modified the rule as you suggested but still no luck

 

Is there specific configuration we need to do since log decoder app rule appends "Threat Source" field in the logs and we are trying to call it in the ESA rule? Just a thought... 

 

Also attaching primary rule (log decoder app rule) for reference.

 

Thanks,

Utsav Sejpal

cisco amp_log decoder app rule.JPG

0 Likes

Go to solution
SravanKoneti1
Beginner
Beginner
In response to UtsavSejpal

‎2017-06-13 12:13 AM

Hi Utsav,

 

App rule responsible for generating the meta value only.

 

I believe, typo is single quote (') around the threatgrid meta value. Please try event.threat_source contains threatgrid

Go to solution
UtsavSejpal
Beginner
Beginner
In response to SravanKoneti1

‎2017-06-13 12:22 AM

Hi Sravan Koneti,

 

Bang on!!

 

Thanks a lot my friend   it's working

 

Best Regards,

Utsav Sejpal

Go to solution
SravanKoneti1
Beginner
Beginner
In response to UtsavSejpal

‎2017-06-13 12:29 AM

Hi Utsav,

Nice to hear this rule is working.

0 Likes

Go to solution
robertofasciani
Beginner
Beginner

‎2017-06-14 02:49 AM

Hello Utsav,

we should be careful to use the meta threat_source. This meta, in ESA, we should be declared as an arraypastedImage_1.png

and we have to use a rule with this sintax

pastedImage_2.png

 

Alternatively, you could use directly the meta tg.analysis:

event.tg_analysis is not null

 

Best Regards,

Roberto

© 2022 RSA Security LLC or its affiliates. All rights reserved.