cancel
Showing results for 
Search instead for 
Did you mean: 
izik
Level 7

ds rules

hi

can someone please explain me what is the data source rules ?

and why i have so many ds rules on  1 data source ?

thanks

0 Kudos
16 Replies
infoseced
Level 7

Re: ds rules

Data Source rules are rules specific to a data source type.  There are three primary types that will typically generate a lot of data source rules, these are "auto Learned" for the SIEM.

For windows event log's they will get parsed and added as data source rules.  E.G. If you have a custom service creating events in the security event log, and you are gathering the security event log.

Then Vulnerability data sources (Rapid7, Nessus, etc) will generate datasource rules from the scan results data.

Then lastly you will have data source rules auto generated by data sources that are syslog sources where you specified in the data source definition option "Support Generic Syslogs-Process as generic syslog"  this typically bombs out the data source rules if you leave this option on.  As it will instantiate a DS rule per line of syslog.  Only use the "parse as generic syslog" TEMPORARILY.  Then write a regex ASP parser rule and, ensure to enable that new ASP rule in the Policy you have associated with the "parse as generic syslog" data source, and then set that data source to "Support Generic Syslogs-Do nothing" then roll out policy.

izik
Level 7

Re: ds rules

hi

can i disable auto Learned ?

if Support Generic Syslogs configured as "log Unknown..." , auto Learned still gonna work ?

0 Kudos
infoseced
Level 7

Re: ds rules

No way that I know of.

Log unknow will lump all into generic "rule message"

0 Kudos
izik
Level 7

Re: ds rules

so if i have syslog data source and i want to avoid auto Learned i need to configure Support Generic Syslogs as "do nothing " ?

0 Kudos
infoseced
Level 7

Re: ds rules

Yes

0 Kudos
izik
Level 7

Re: ds rules

hi

i think it is not working ..... take alook

what do you  think ?

this is after i change to "do nothing" and delete all the auto learned rules (as you can see its pop up again)

33.JPG

0 Kudos
infoseced
Level 7

Re: ds rules

Did you create a custom ASP parser rule?  Did you write the DS config to the reciever and re-roll out policy?

0 Kudos
sssyyy
Level 12

Re: ds rules

these data source rules are created as part of ASP, autolearnt. What are you trying to achieve?

0 Kudos
izik
Level 7

Re: ds rules

i trying to avoid this DS autolearned

0 Kudos