I want to deploy rule for Mirai Botnet. Event Device Type is Customdns, Event.threat_Category is Malware and Event.threat_subtype is Mirai Aggregation is 2500 Events in 1 minute. but still I am getting many alerts. What to do to reduce the numberof matche
I want to deploy rule for Mirai Botnet. Event Device Type is Customdns, Event.threat_Category is Malware and Event.threat_subtype is Mirai Aggregation is 2500 Events in 1 minute. but still I am getting many alerts. What to do to reduce the number of matches. Is there a way to supress alerts after first alert for certain duration to keep minimum false positives?
I've moved your question to the RSA NetWitness Platform" data-type="space space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose . From there, scroll to RSA NetWitness Platform" data-type="space and click Ask A Question. That way your question will appear in the correct space.
you can suppress alert using the EPL "output first" construct, that allow you to generate only the first alert for the "group by" meta and then suppress all successive alerts generated by the rule for a arbitrary time frame.
Below you can find an example of rule that use "output first". Any single source IP address can trigger this rule only one time at hour. Don't forget to add the "window(*)" in the select, otherwise the alert will report only the first event matched.
SELECT window(*) from Event(
.win:time_length_batch(60 seconds, 2500)
GROUP BY ip_src
HAVING COUNT(*) = 2500
output first every 60 minutes;