This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Rule Packet Decoder + Log Decoder

SamantaSantos
New Contributor
New Contributor

‎2019-10-21 09:10 AM

Hi,

 

I need to create one rule, when my Packet Decoder detects one threat following by my Log Source (such as Firewall) action such DROP/BLOCK.

 

I did like this, but the rule is wrong. Could you help me?

 

SELECT * FROM Event(
/* Statement: ioc */
(isOneOfIgnoreCase(ioc,{ 'possible poison ivy' }))
AND
/* Statement: firewall action */
(isNotOneOfIgnoreCase(action,{ 'block' }) AND isNotOneOfIgnoreCase(action,{ 'drop' }) AND isNotOneOfIgnoreCase(action,{ 'deny' }))

)

0 Likes
2 REPLIES 2

sravan.koneti
Respected Contributor Respected Contributor
Respected Contributor

‎2019-11-12 05:05 AM

Hi Samanta Santos‌,

 

Just to pass the rule validation, 

Correlation->Explore->Correlation->Stream 

Right side change multi-valued-as-array from false to true.

Then check Rule Syntax check

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2019-11-12 12:22 PM

Hi Samanta,

 

Can you be more specific about what you mean when you say the "rule is wrong”?

 

Is it not passing syntax checks / not deploying?

 

Or is not alerting on the events that you want it to?

 

Or something else?


Mr. Mongo
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.