is it possible in security analytics(packet capture)to trigger a specific event for a specific IOC like'184.108.40.206' & 'ptsecurity.com'?
- Community Thread
- Forum Thread
- NetWitness Orchestrator
- RSA NetWitness
- RSA NetWitness Orchestrator
- RSA NetWitness Platform
Please use the App rules.
The way should be:
ip.dst='yourIP' && url='ptsecurity.com' --> This triggers an alert on alert.id with the name you specify in the apprule.
To find the correct syntax investigate the meta from the investigator select them and then do copy and paste.
If you are creating an app rule, you could call it "PTsecurity alert":
Condition - ip.dst = 220.127.116.11 && alias.host = "ptsecurity.com"
Check Stop Rule Processing, and pick what your intentions are with the session (Keep/Filter/Truncate), Check Alert and Alert on Alert so it shows up under the Alert key in your Investigator module.