- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Netwitness: Scan attachment for specific text
Good afternoon,
I'm tring to get Netwitness to scan an attachment, in an email, for a specfic value and fire a custom alert. For example, I would like to scan a document file attached to an email, containing the word "test".
I've tried variations of the following to no success;
service = '25' && attachment ends 'doc' && content contains test
service = '25' && content contains test
content contains test
For the testing of these rules I created a .doc file with the word test inside and sent it across the monitored wire to my web mail. I found the email under meta tagged as service 25 though it did not fire the custome rule alert.
I think the rule is searching the email content for test instead of the attachment.
Thank you for any assistance!!
- Tags:
- Community Thread
- Discussion
- Forum Thread
- NetWitness
- netwitness_investigator
- netwitness_rules
- NW
- NWP
- RSA NetWitness
- RSA NetWitness Platform
- Security
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You can't do that in a rule, rules cannot scan packets. Rules are meant for acting on already created meta. You would need to write a parser to scan an email. This thread might help:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You can't do that in a rule, rules cannot scan packets. Rules are meant for acting on already created meta. You would need to write a parser to scan an email. This thread might help:
