RSA Admin

How to tell what is in CONTENT Field

Discussion created by RSA Admin Employee on Jul 21, 2011
Latest reply on Aug 2, 2011 by RSA Admin

I have read the correlation rules document and it says:

 

Note: The value of the [CONTENT[ variable in the Set Statement Filter Window is the
same as the value of payload.

 

I am looking at windows messages and almost none of the messages in the XML have a !payload variable used.  Does this mean that the entire "content=" part of the message goes into [CONTENT]?

 

Is there a way to see what is actually in [CONTENT] so that I can write an appropriate regex?

 

Thanks!!!!!!!!  :smileyhappy:

Outcomes