Hi
Help me implement the mechanics of detecting suspicious addresses in arbitrary events using an actin list.
Now I'm trying to describe a rule that will compare the Indicator Value list column and the Device Address field of the event and if there is a match, I want to make the criticality level of the event the maximum.
At the moment, here is my description of the rule:
event1 : (
Device Address Is NOT NULL
AND
InActiveList("AlienVault Feeds DB")
AND Not(
DeviceVendor = AlienVault
And
Device Product = OTX
And
Agent ID = /All Connectors/AlienVault_OTX/alienvault_feeds
) AND
Type In (Base, Aggregated)
)
Although I have not fully understood their writing, even I understand that this is not enough.
How can I specify in the inActiveList condition which column should be paid attention to? Perhaps a custom variable should be used, if so, how?
Can I get the desired result only with the help of a rule or do I need to describe additional filters or something else for correct operation? Or do you know other implementation options?
Thank you in advance
Bohdan