000026967 - How to add Application Rules to RSA Security Analytics Decoders using the REST API

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026967
Applies ToRSA Security Analytics
RSA NetWitness NextGen
IssueHow to add Application Rules to RSA Security Analytics Decoders using the REST API.
Resolution

1. Access REST using Web Browser
Using Web Browser (Firefox is good) navigate to: http://<decoder_ip>:50104/decoder/config/rules


Note: If SSL enabled on REST then this will be: https://<decoder_ip>:50104/decoder/config/rules


You'll be prompted for username and password. You could use the same credentials used to add service in Administration \ Device i.e. username: admin


 

2. Click the (*) next to application

3. Example of Adding Application Rule
In this example we will alert if DNS hostname contains "www.google.com"
method: add
Parameters: name=testAppRule rule="alias.host contains \"www.google.com\"" alert=alert
Send button
Output: Success

Copy the full URL: /decoder/config/rules/application?msg=add&force-content-type=text/plain&expiry=600&name=testAppRule&rule=alias.host%20contains%20%22www.google.com%22&alert=alert



4. Displaying Application Rules
Changing back to method: 'ls' reveals this application rule has been added as last Application Rule


 

5. Running REST call from command line
Using Complete URL using curl:
curl --user "<username>:<password>" "http://<decoder_ip>:50104/decoder/config/rules/application?msg=add&force-content-type=text/plain&expiry=600&name=testAppRule3&rule=alias.host%20contains%20%22www.google.com%22&alert=alert"
 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa65904

Attachments

    Outcomes