This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
HaroldTsatsi
Beginner
Beginner
‎2018-06-11 03:52 AM

Rule configuring/customazation

is it possible in security analytics(packet capture)to trigger a specific event for a specific IOC like'31.148.219.177' & 'ptsecurity.com'?

Labels (1)
0 Likes
Reply
3 Replies
EmmanueleLaPort
Employee
Employee
‎2018-06-11 04:14 AM

Hello Harold,

 

https://community.rsa.com/docs/DOC-83630 

 

Please use the App rules.

The way should be:
ip.dst='yourIP' && url='ptsecurity.com' --> This triggers an alert on alert.id with the name you specify in the apprule.

 

To find the correct syntax investigate the meta from the investigator select them and then do copy and paste.

0 Likes
Reply
HaroldTsatsi
Beginner
Beginner
In response to EmmanueleLaPort
‎2018-06-11 04:27 AM

if possible would you please share the correct syntax,then will replace that with the IOC i have?

0 Likes
Reply
Arasnick
Contributor
Contributor
‎2018-07-18 09:58 AM

If you are creating an app rule, you could call it "PTsecurity alert":

Condition - ip.dst = 31.148.219.177 && alias.host = "ptsecurity.com" 

 

Check Stop Rule Processing, and pick what your intentions are with the session (Keep/Filter/Truncate), Check Alert and Alert on Alert so it shows up under the Alert key in your Investigator module.

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.