Hi Folks,
We have setup app rule by following the below document:
Feed Me! Cisco AMP ThreatGrid Intelligence Feeds
We also see logs with below meta in the investigation tab (because of app-rule):
threat.source = 'cisco amp threatgrid'
My questions is that can we use this meta value in ESA rule? I have tried to configure the one but doesn't seem to be working (not getting triggered). Any pointers??
Thanks in advance,
Utsav Sejpal
Hi Utsav,
App rule responsible for generating the meta value only.
I believe, typo is single quote (') around the threatgrid meta value. Please try event.threat_source contains threatgrid