Highlighted
drtrry5 Absent Member.
Absent Member.
294 views

Comments in Alerts

Jump to solution

Hello,

      I have a use case for a rule where I want to send an alert when an infected computer comes online. I have two active lists in use. One that an analyst manually enters information on the infected machine (the manual list) and another where the rule adds information from the alert to throttle the alerts (auto list). This is totally functional in that it correctly alerts on the authentication of the infected machine, but the analysts want a field in the manual list that translates to the alert. Within this field they want the name of the malware. This I am unsure of how to do. How can I have that arbitrary field translate to the alert? Additionally, if this field is added into the active list and isn't present in the base event, will this kill the comparison?

Thanks!

0 Likes
1 Solution

Accepted Solutions
michael.selph Absent Member.
Absent Member.

Re: Comments in Alerts

Jump to solution

I'll take a stab at answering your quesions. In order to have a field in an active list populate in rule, I'd do the following (this may be a bit round about, but should work).

Create a field based active list with two fields. The first will be the field that holds the infected machine name/IP -- make the type appropiate (string for hostname, IP Address for IP) and make that field a key field. The second will be type string and will contain the analyst notes.

Next, create a RTR that looks for the infected machine coming online. In the Active List matching condition, make sure to only choose the field that contains the hostname/ip that you are looking for. You don't have to choose non-key fields if you don't want to.

In the local variables tab, add a new getActiveList variable. Choose the AL that you created in step 1, and choose only the 1 key field just like you did in the matching condition.

Create a new variable, this time String -> ToUpper (or ToLower) and assign it to the variable you just created. So you should now be converting the getAL variable to upper. Make sure to choose the correct field though. It should be something like $getAL.Notes.

Under actions, choose add -> set event field and set whatever event you would like the Notes field to populate in to the name of the ToUpper variable. Something like $notesToUpper.

Make sure you add all variables to your aggergation settings and you should be good to go.

You don't actually have to have a string convert to upper variable, but the getAL vaule variable I've found to be a bit buggy so out of habit I walk it through a string conver variable first.

I hope this helps.

View solution in original post

0 Likes
3 Replies
michael.selph Absent Member.
Absent Member.

Re: Comments in Alerts

Jump to solution

I'll take a stab at answering your quesions. In order to have a field in an active list populate in rule, I'd do the following (this may be a bit round about, but should work).

Create a field based active list with two fields. The first will be the field that holds the infected machine name/IP -- make the type appropiate (string for hostname, IP Address for IP) and make that field a key field. The second will be type string and will contain the analyst notes.

Next, create a RTR that looks for the infected machine coming online. In the Active List matching condition, make sure to only choose the field that contains the hostname/ip that you are looking for. You don't have to choose non-key fields if you don't want to.

In the local variables tab, add a new getActiveList variable. Choose the AL that you created in step 1, and choose only the 1 key field just like you did in the matching condition.

Create a new variable, this time String -> ToUpper (or ToLower) and assign it to the variable you just created. So you should now be converting the getAL variable to upper. Make sure to choose the correct field though. It should be something like $getAL.Notes.

Under actions, choose add -> set event field and set whatever event you would like the Notes field to populate in to the name of the ToUpper variable. Something like $notesToUpper.

Make sure you add all variables to your aggergation settings and you should be good to go.

You don't actually have to have a string convert to upper variable, but the getAL vaule variable I've found to be a bit buggy so out of habit I walk it through a string conver variable first.

I hope this helps.

View solution in original post

0 Likes
drtrry5 Absent Member.
Absent Member.

Re: Comments in Alerts

Jump to solution

Ok, I followed you all the way through this. The only area I am slightly confused with is the local variable names. So, I created my first local var as Malware and tied is back to machineName. This variable should be called Malware.machineName, correct? So, my question is what will the resulting variable name after the ToUpper function?

0 Likes
drtrry5 Absent Member.
Absent Member.

Re: Comments in Alerts

Jump to solution

I figured it out!

Thank you for your assistance!

Darren

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.