AnsweredAssumed Answered

Rule Packet Decoder + Log Decoder

Question asked by Samanta Santos on Oct 21, 2019
Latest reply on Nov 12, 2019 by Joshua Randall

Hi,

 

I need to create one rule, when my Packet Decoder detects one threat following by my Log Source (such as Firewall) action such DROP/BLOCK.

 

I did like this, but the rule is wrong. Could you help me?

 

SELECT * FROM Event(
/* Statement: ioc */
(isOneOfIgnoreCase(ioc,{ 'possible poison ivy' }))
AND
/* Statement: firewall action */
(isNotOneOfIgnoreCase(action,{ 'block' }) AND isNotOneOfIgnoreCase(action,{ 'drop' }) AND isNotOneOfIgnoreCase(action,{ 'deny' }))

)

Outcomes