Hello,
In my company's SIEM, there is a significant amount of traffic with service type = OTHER.
What is the significance of all this traffic? Is there a way to correctly link device ips to the correct service type? I tried following this documentation (Decoder: Map IP Address to Service Type ), but it doesn't seem to work properly.
Any advice or help is greatly appreciated!
Thank you.
Lucas,
The link you shared is specifically for Log Decoder -> Parser mapping and would not be applicable to Packet (Network) Decoder.
The Service Type = OTHER falls into 2 categories:
1. Datasets for which RSA has deemed uninteresting traffic (for the most part, forensically) and does not parse it.
2. Datasets for which is custom or unique to your environment that we have no parser support for it.
In either case, the process would be to take sample PCAPs of that traffic, analyze it and write a parser if required. For example, we (RSA) do not have an official Spotify parser for example but several community members have written them and can be used on an as-is basis. You can also write custom parsers -- see link below.
https://community.rsa.com/docs/DOC-41370