Hi
I need to create correlation rule in ESA .I need to add watchlist to filter out some Ip range and also to set cache variables for correlation.
How to achieve this in ESA Basic rule Editor ?
Hi
I need to create correlation rule in ESA .I need to add watchlist to filter out some Ip range and also to set cache variables for correlation.
How to achieve this in ESA Basic rule Editor ?
Hi Patrick,
Thanks for the reply
Can we apply the custom feeds to multiple decoder ? And how we create custom feeds if the watchlist contains "regex".
Here is the logic for the cache variables
Two statements
The first statement captures log from an specific event category filtered based on action.
and the second statement captures specific event id and filter events based on cached source and action.
you can create an app rule on each decoder with a regex.
you can create the app rule to say for example
Apprulename=regex_test
user regex {regex expression}
and then select the alert on (select the metakey you want the alert to be on) for example on the meta alert
then on the ESA just look for the tag alert=regex_test
On the other question you can combine statements for example in one statement set the device type
the second statement the msg id
and so on....
Hey shanthi_t02,
For your watchlist, you could look into creating a custom feed to tag your IP's at the Decoder level:
Create a Custom Feed - RSA Security Analytics Documentation
Then you could simply apply logic in your ESA rule to say !='MyCustomFeedMeta'.
For your cache variables it would help to understand the logic of the rule you want to create.