000026967 - How to add Application Rules to RSA NetWitness Platform Decoders using the REST API

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 24, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000026967
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Decoder
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS 6, 7
IssueHow to add Application Rules to RSA NetWitness Decoders using the REST API.
  1. Access REST using Web Browser

    Using Web Browser navigate to: http://<decoder_ip>:50104/decoder/config/rules

    Note: If SSL enabled on REST then this will be: https://<decoder_ip>:50104/decoder/config/rules

    You'll be prompted for username and password. You could use the same credentials used to add service in Administration \ Device i.e. username: admin


  2. Click the (*) next to the application

  3. Example of Adding Application Rule
    In this example, we will alert if DNS hostname contains "www.google.com"

    method: add
    Parameters: name=testAppRule rule="alias.host contains \"www.google.com\"" alert=alert
    Send button
    Output: Success

    Copy the full URL: /decoder/config/rules/application?msg=add&force-content-type=text/plain&expiry=600&name=testAppRule&rule=alias.host%20contains%20%22www.google.com%22&alert=alert
  4. Displaying Application Rules
    Changing back to method: 'ls' reveals this application rule has been added as last Application Rule

  5. Running REST call from the command line

    Using Complete URL using curl:
    curl --user "<username>:<password>" "http://<decoder_ip>:50104/decoder/config/rules/application?msg=add&force-content-type=text/plain&expiry=600&name=testAppRule3&rule=alias.host%20contains%20%22www.google.com%22&alert=alert"

    If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa65904