Just looking for a quick answer on the correct syntax for this.I
currently have a rule deployed that will alert only when a specific meta
key is found in a CH list that's used as an enrichment in the rule.
Syntax looks like
Looking for some help with an EPL rule. The goal is to detect when a
single client requests more than 275 unique A records for hosts in my AD
domain within 5 minutes. The custom meta key dns_qtype is populated by
an app rule that acts on logs produce...
We have some endpoints that are using Windows Defender managed via SCCM
as their AV solution, for...some reason. Is there a correct way to
centralize logs from these clients (ie detections, scan results, etc.)
into Netwitness? I have a sneaking suspi...
I have a custom parser that generates some custom metadata, and an ESA
rule that triggers based on events from the custom parser. What I want
is to be able to group alerts into incidents in Incident Management by
the custom meta. Is this possible, an...
Can this be done? I'd like to modify the Live parser for a specific
device type (varonisprobe) to include additional meta (specifically a
rule name). I've downloaded the varonisprobe.netwitness file from Live,
but when I try and import it into ESI, t...
Thanks again, Mohammed - unfortunately I can't make sense of how I would
apply that NamdedWindows example to my use case. Could you point me to
better documentation, or help me understand how that would work with the
example I posted above?
Hi Hamed. The value I wanted to use appears in the dropdown after these
changes, but when I create the rule to aggregate alerts in this fashion
it doesn't actually work. Is there some official documentation that can
explain these modifications better...