2017-07-23 11:00 AM
i have netwitness for log and have other product forward log to rsa
pls suggest step begin this solution (I'm new )
2017-07-24 02:25 AM
What Web Gateway do you have on your environment? Are you collecting those logs to SA?
Also you need to know about the web filtering policy implemented, based on that you can write a ESA rule to alert on that category.
2017-07-24 04:24 AM
2017-07-24 05:24 AM
Below is a simple ESA logic you can use.
You can add up the filter based on the required categories defined by bluecoat (Symantec Category Descriptions ).
SELECT * FROM Event(
/* Statement: S1 */
(device_type .toLowerCase() IN ( 'cacheflowelff' ) AND filter .toLowerCase() IN ( 'pornography' ))
)
.std:groupwin(user_dst)
.win:time_length_batch(1 Minutes, 5)
GROUP BY user_dst
HAVING COUNT(*) >= 5;
Regards
2017-07-24 10:54 AM
Thank you very much dinesh pk for your help me ^_^
PLS suggest how to use ESA logic to use implemented step by step .
now i to try learning and config . thank you again dinesh pk ^_^
2017-07-24 02:58 PM
Try reading the RSA documentation. It's much faster than looking at user comments.
Click the "?" in the ESA menu for more information.