2018-06-11 03:52 AM
is it possible in security analytics(packet capture)to trigger a specific event for a specific IOC like'31.148.219.177' & 'ptsecurity.com'?
2018-06-11 04:14 AM
Hello Harold,
https://community.rsa.com/docs/DOC-83630
Please use the App rules.
The way should be:
ip.dst='yourIP' && url='ptsecurity.com' --> This triggers an alert on alert.id with the name you specify in the apprule.
To find the correct syntax investigate the meta from the investigator select them and then do copy and paste.
2018-06-11 04:27 AM
if possible would you please share the correct syntax,then will replace that with the IOC i have?
2018-07-18 09:58 AM
If you are creating an app rule, you could call it "PTsecurity alert":
Condition - ip.dst = 31.148.219.177 && alias.host = "ptsecurity.com"
Check Stop Rule Processing, and pick what your intentions are with the session (Keep/Filter/Truncate), Check Alert and Alert on Alert so it shows up under the Alert key in your Investigator module.