ESA Live Rules - Tuning?
Can the parameters of ESA Live rules be changed? I ask this because I am trying some of the rules from Live and am noticing a high amount of false positives in certain cases and would like to add parameter conditions to exclude items like proxy IPs, etc. Something as simple as ip.addr != 192.168.6.10. I cannot seem to find a away to add or remove any parameters. Does anyone happen to know if these are able to be tuned?
- Community Thread
- Event Stream Analysis
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I don't know if it is possible to add parameter conditions, but you can show syntax, copy the source and use this source to create ad Advanced EPL rules.
Description: Alert when network sessions contain 40 unique IP destinations with the same source IP and destination port within 180 seconds indicating a horizontal port scan. The time window, destination port range and number of unique IP destinations are configurable.
SELECT * FROM
medium = 1
AND ip_src IS NOT NULL
AND ip_dst IS NOT NULL
tcp_dstport in [1:1024]
udp_dstport in [1:1024]
AND ip_addr NOT IN ('192.168.6.10')
).std:groupwin(ip_src, tcp_dstport, udp_dstport)
.win:time_length_batch(180 seconds, 40)
GROUP BY ip_src, tcp_dstport, udp_dstport
HAVING count(ip_dst) = 40
Thanks Roberto - That worked perfectly.
RSA - as a quick note, it would be great if you could simplify tuning of NW by allowing a right-click feature to exclude or include IPs and other objects of interest that have impact on rules. Quick reference: IBM QRadar...