This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Using IP List in ESA Rule

socuser
Occasional Contributor
Occasional Contributor

‎2022-03-22 10:56 AM

Hi Team,

I has a list of Suspicious IP List,

I need to create a Alert rule which triggered based on the connection from Suspcious IP,

Inside ESA rule i need to use LIST feature , pls help us on this requirement 

 

 

Thanks,

SOCUSER

Labels:
0 Likes
1 REPLY 1

drewjc
Occasional Contributor
Occasional Contributor

‎2022-04-04 04:40 PM

Hi socuser,

 

Depending on the size of the list and how often it is updated you might be better off implementing your list as a feed and matching with an app rule. Then you can query on a metakey directly. ESA tends to get overburdened rather quickly for all but the simplest rules.

 

However, the ESA way I have used successfully in the past has been to create a string array using the following syntax snippets as an example:

 

CREATE VARIABLE string[] my_list = {
'10.0.0.1',
'10.0.0.2',
};

 

SELECT * FROM Event(

ip_dst = ANY(my_list)

);

 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.