Hi,
I've setup an ESA alert to trigger when a meta in 'alert' is generated and matches a certain string.
I'd like to be able to filter false positives based on a ip.dst value.
I thought I had it figured out by adding another condition that states if ip.dst is not a certain value, but it still seems to be triggering.
Updated ESA rule has been deployed.
Any hints on where to look?
Thanks,
Here is the text, I've redacted the components that are internal only.
------------
/* EPL section. If there is no text here it means there were no statements. */
module Module_573b9327e4b0b1e0a26b2315;
@Name('Module_573b9327e4b0b1e0a26b2315_Alert')
@Description('Alerts when a new Intel Alert comes in')
@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
/* Statement: Crowdstrike Alert */
(alert.toLowerCase() LIKE '%string1%' OR alert.toLowerCase() LIKE '%string2%' OR alert.toLowerCase() LIKE '%string3%' OR alert.toLowerCase() LIKE '%string4%' OR alert.toLowerCase() LIKE '%string5%' OR alert.toLowerCase() LIKE '%string6%')
AND
/* Statement: False Positive filtering */
(ip_dst.toLowerCase() NOT IN ( '1.2.3.4' ) OR ip_dst.toLowerCase() NOT IN ( '1.2.3.5' ))
)
;
Hello Jeremy,
I have a question, is alert a multi-valued meta keys?
In this case you should use cast or matchLike to trigger an event.
Ex (Version 10.6.4+):
@RSAAlert
SELECT * FROM Event(
(matchLike(alert, ‘%string1%’) OR matchLike(alert, ‘%string2%’))
AND ip_dst NOT IN ('1.2.3.4','1.2.3.5')
)
;
Yes, the alert can be a number of different strings based on threat actor.
the alert works fine. it's the filtering out of false positives based on destination IP address is the part that doesn't work.
You should try:
ip_dst NOT IN ('1.2.3.4','1.2.3.5')
Yep, that appears to have the effect I'm looking for.
Thanks so much.
You should try:
ip_dst NOT IN ('1.2.3.4','1.2.3.5')