on Feb 25, 2015Hi
I need to create correlation rule in ESA .I need to add watchlist to filter out some Ip range and also to set cache variables for correlation.
How to achieve this in ESA Basic rule Editor ?
Hi
I need to create correlation rule in ESA .I need to add watchlist to filter out some Ip range and also to set cache variables for correlation.
How to achieve this in ESA Basic rule Editor ?
Hi Patrick,
Thanks for the reply
Can we apply the custom feeds to multiple decoder ? And how we create custom feeds if the watchlist contains "regex".
Here is the logic for the cache variables
Two statements
The first statement captures log from an specific event category filtered based on action.
and the second statement captures specific event id and filter events based on cached source and action.
Feeds can be applied to as many as many Decoders as you like, unfortunately you cannot use REGEX in Feeds though.
I would add the two Meta fields into the "Group By" field on the basic rule builder to then group based on x number of the same instances being seen.
you can create an app rule on each decoder with a regex.
you can create the app rule to say for example
Apprulename=regex_test
user regex {regex expression}
and then select the alert on (select the metakey you want the alert to be on) for example on the meta alert
then on the ESA just look for the tag alert=regex_test
On the other question you can combine statements for example in one statement set the device type
the second statement the msg id
and so on....
Hey shanthi_t02,
For your watchlist, you could look into creating a custom feed to tag your IP's at the Decoder level:
Create a Custom Feed - RSA Security Analytics Documentation
Then you could simply apply logic in your ESA rule to say !='MyCustomFeedMeta'.
For your cache variables it would help to understand the logic of the rule you want to create.