AnsweredAssumed Answered

How to call threat feed based app-rule in ESA rule

Question asked by Utsav Sejpal on Jun 12, 2017
Latest reply on Jun 14, 2017 by roberto fasciani

Hi Folks,


We have setup app rule by following the below document: 


Feed Me! Cisco AMP ThreatGrid Intelligence Feeds 


We also see logs with below meta in the investigation tab (because of app-rule): 


threat.source = 'cisco amp threatgrid'


My questions is that can we use this meta value in ESA rule? I have tried to configure the one but doesn't seem to be working (not getting triggered).  Any pointers??


Thanks in advance,

Utsav Sejpal