Hi Folks,
We have setup app rule by following the below document:
Feed Me! Cisco AMP ThreatGrid Intelligence Feeds
We also see logs with below meta in the investigation tab (because of app-rule):
threat.source = 'cisco amp threatgrid'
My questions is that can we use this meta value in ESA rule? I have tried to configure the one but doesn't seem to be working (not getting triggered). Any pointers??
Thanks in advance,
Utsav Sejpal
Hi Utsav,
Can you try event.threat_source contains 'threatgrid'
I have come across this ESA contains operator value doesn't accept "space".
Hi Sravan Koneti,
Thanks for your input. I modified the rule as you suggested but still no luck
Is there specific configuration we need to do since log decoder app rule appends "Threat Source" field in the logs and we are trying to call it in the ESA rule? Just a thought...
Also attaching primary rule (log decoder app rule) for reference.
Thanks,
Utsav Sejpal
Hi Utsav,
App rule responsible for generating the meta value only.
I believe, typo is single quote (') around the threatgrid meta value. Please try event.threat_source contains threatgrid
Hi Sravan Koneti,
Bang on!!
Thanks a lot my friend it's working
Best Regards,
Utsav Sejpal
Hi Utsav,
Nice to hear this rule is working.
Hello Utsav,
we should be careful to use the meta threat_source. This meta, in ESA, we should be declared as an array
and we have to use a rule with this sintax
Alternatively, you could use directly the meta tg.analysis:
event.tg_analysis is not null
Best Regards,
Roberto
Hi Utsav,
App rule responsible for generating the meta value only.
I believe, typo is single quote (') around the threatgrid meta value. Please try event.threat_source contains threatgrid