2024-11-22 05:32 AM
Can we add a condition in esa rule for excluding the entire network id if its a source IP.
a month ago
Have you tried using CIDR notation such as 10.1.0.0/16?
The other option is to create application rules that tag sessions that have will only tag when the ip.src equals the CIDR notation ip address of your internal networks.
An example of an Application Rule would be the following:
Application Rule Name: Corporate Networks
Condition: ip.src=10.1.10.0/24, 192.68.0.0/16, 10.23.10.0/24
Save meta to meta key alert.
Once that is done you would use a WHERE alert=Corporate Networks in your ESA rules.
I hope this helps.