This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Rule configuring/customazation

HaroldTsatsi
New Contributor
New Contributor

‎2018-06-11 03:52 AM

is it possible in security analytics(packet capture)to trigger a specific event for a specific IOC like'31.148.219.177' & 'ptsecurity.com'?

Labels:
0 Likes
3 REPLIES 3

EmmanueleLaPort
Beginner
Beginner

‎2018-06-11 04:14 AM

Hello Harold,

 

https://community.rsa.com/docs/DOC-83630 

 

Please use the App rules.

The way should be:
ip.dst='yourIP' && url='ptsecurity.com' --> This triggers an alert on alert.id with the name you specify in the apprule.

 

To find the correct syntax investigate the meta from the investigator select them and then do copy and paste.

0 Likes

HaroldTsatsi
New Contributor
New Contributor
In response to EmmanueleLaPort

‎2018-06-11 04:27 AM

if possible would you please share the correct syntax,then will replace that with the IOC i have?

0 Likes

Arasnick
Contributor
Contributor

‎2018-07-18 09:58 AM

If you are creating an app rule, you could call it "PTsecurity alert":

Condition - ip.dst = 31.148.219.177 && alias.host = "ptsecurity.com" 

 

Check Stop Rule Processing, and pick what your intentions are with the session (Keep/Filter/Truncate), Check Alert and Alert on Alert so it shows up under the Alert key in your Investigator module.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.