This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Network ID whitelisting

chethankr2
New Contributor
New Contributor

11 hours ago

Can we add a condition in esa rule for excluding the entire network id if its a source IP.

0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

an hour ago

@chethankr2 

Have you tried using CIDR notation such as 10.1.0.0/16?

 

The other option is to create application rules that tag sessions that have will only tag when the ip.src equals the CIDR notation ip address of your internal networks.

An example of an Application Rule would be the following:

   Application Rule Name: Corporate Networks

   Condition: ip.src=10.1.10.0/24, 192.68.0.0/16, 10.23.10.0/24

   Save meta to meta key alert.

 

Once that is done you would use a WHERE alert=Corporate Networks in your ESA rules.

 

I hope this helps.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.