1 Reply Latest reply on Dec 18, 2014 6:19 AM by japie

    How to relate ASP rule with Data source

    layer0

      Hello Everyone

       

      I have the following situation, I have integrated SIEM with a Ironmail and i received the event "SMTPO Service".

      eventos.PNG

       

      I like to change the parsing for this event in order to identify a field, but i can't find the ASP Rule tha generate this particular Data source

       

      This is the Data Source

      datasource.PNG

       

      But i don't know which Advanced Syslog Parser rule generates the Data Source

      asp.PNG

      In other cases it is easy because the parse rule have the same name that the data source, but in this case i don't have a clue how to relate one another.

       

      Thanks for the help.

        • 1. Re: How to relate ASP rule with Data source
          japie

          Hi Layer0Ironmail_legacy_parser_.PNG

           

          Under the Advanced Syslog Parser - filter for the Iron Mail Legcy Parser.

          You can copy the packet data and run it through one of the parsers availible to see if it is being parsed out. Or copy one of them and modify it to your requirement to have the data parsed out.

           

           

          Hope this helps.

          Regards,

          Japie