AnsweredAssumed Answered

ESA Rules based on the output of other rules

Question asked by slippery on Sep 22, 2014
Latest reply on Sep 23, 2014 by Ankush Baveja

Hi all,

our company is trying to take advantage of the new analytics capabilities offered by the 10.4 and the live content. We are developing ESA rules to detect threats based on their category.

 

For example a windows malware category alert needs to fire only if another ESA rules already fired (some sort of prerequisite). Is there a way to reference the "output" of a rule from within another rule, without copying all the content inside a single element?

 

Let me know if you already found other ways around this kind of problems.

Outcomes