2019-10-21 09:10 AM
Hi,
I need to create one rule, when my Packet Decoder detects one threat following by my Log Source (such as Firewall) action such DROP/BLOCK.
I did like this, but the rule is wrong. Could you help me?
SELECT * FROM Event(
/* Statement: ioc */
(isOneOfIgnoreCase(ioc,{ 'possible poison ivy' }))
AND
/* Statement: firewall action */
(isNotOneOfIgnoreCase(action,{ 'block' }) AND isNotOneOfIgnoreCase(action,{ 'drop' }) AND isNotOneOfIgnoreCase(action,{ 'deny' }))
)
2019-11-12 05:05 AM
Hi Samanta Santos,
Just to pass the rule validation,
Correlation->Explore->Correlation->Stream
Right side change multi-valued-as-array from false to true.
Then check Rule Syntax check
2019-11-12 12:22 PM
Hi Samanta,
Can you be more specific about what you mean when you say the "rule is wrong”?
Is it not passing syntax checks / not deploying?
Or is not alerting on the events that you want it to?
Or something else?