3 Replies Latest reply on Feb 25, 2016 1:07 AM by xded

    Alarm for Asset Vulnerable to event

    layer0

      Hello

       

      I want to create an alarm for the event: Asset vulnerable to event, signature-ID: 306-10, I need to provide the following information, the IPS event that generate the rule and the vulnerability that is exploited, however when i try to create the alarm:

       

      arm: [$Alarm Name]

       

       

      [$REPEAT_START]

      [$SOURCE_EVENTS_START]

      Rule Message: [$Rule Message]

      Src IP: [$Source IP]

      Dest IP: [$Destination IP]

      Vulnerability: [$%Vulnerability_References]

      [$SOURCE_EVENTS_END]

      [$REPEAT_END]

       

      When i received the event, the fields are all blank

        • 1. Re: Alarm for Asset Vulnerable to event
          xded

          hi Layer0,

           

          try the same without:

          [$SOURCE_EVENTS_START]

          [$SOURCE_EVENTS_END]


          This Start --> End Block is only for correlations Events not for Signatur ID based Alarms.

          • 2. Re: Alarm for Asset Vulnerable to event
            layer0

            Thanks

             

            But didn't work, the alarm only shows information from the asset vulnerable to Event

             

            I am using this template:

             

            **********************

            Device: Local ESM

            Rule Message: Asset Vulnerable to Event


            [$SOURCE_EVENTS_START]

            Device: Local ESM

            Rule Message: Asset Vulnerable to Event

            [$SOURCE_EVENTS_END]

            **********************

             

            For example for the following event

             

            asset vulnerable.PNG

             

            The result is

             

            **********************

            Device: Local ESM

            Rule Message: Asset Vulnerable to Event

             

            Device: Local ESM

            Rule Message: Asset Vulnerable to Event

            **********************

             

            I need the rule message of the IPS event,

             

            Is there a way?

            • 3. Re: Alarm for Asset Vulnerable to event
              xded

              Try this one

              [$REPEAT_START]

              [$SOURCE_EVENTS_START]


              [$%Signature_Name]

              or

              [$%Rule_Name]

              [$SOURCE_EVENTS_END]

              [$REPEAT_END