1 Reply Latest reply on Dec 18, 2014 6:19 AM by japie

    How to relate ASP rule with Data source


      Hello Everyone


      I have the following situation, I have integrated SIEM with a Ironmail and i received the event "SMTPO Service".



      I like to change the parsing for this event in order to identify a field, but i can't find the ASP Rule tha generate this particular Data source


      This is the Data Source



      But i don't know which Advanced Syslog Parser rule generates the Data Source


      In other cases it is easy because the parse rule have the same name that the data source, but in this case i don't have a clue how to relate one another.


      Thanks for the help.

        • 1. Re: How to relate ASP rule with Data source

          Hi Layer0Ironmail_legacy_parser_.PNG


          Under the Advanced Syslog Parser - filter for the Iron Mail Legcy Parser.

          You can copy the packet data and run it through one of the parsers availible to see if it is being parsed out. Or copy one of them and modify it to your requirement to have the data parsed out.



          Hope this helps.