1 of 1 people found this helpful
Data Source rules are rules specific to a data source type. There are three primary types that will typically generate a lot of data source rules, these are "auto Learned" for the SIEM.
For windows event log's they will get parsed and added as data source rules. E.G. If you have a custom service creating events in the security event log, and you are gathering the security event log.
Then Vulnerability data sources (Rapid7, Nessus, etc) will generate datasource rules from the scan results data.
Then lastly you will have data source rules auto generated by data sources that are syslog sources where you specified in the data source definition option "Support Generic Syslogs-Process as generic syslog" this typically bombs out the data source rules if you leave this option on. As it will instantiate a DS rule per line of syslog. Only use the "parse as generic syslog" TEMPORARILY. Then write a regex ASP parser rule and, ensure to enable that new ASP rule in the Policy you have associated with the "parse as generic syslog" data source, and then set that data source to "Support Generic Syslogs-Do nothing" then roll out policy.
can i disable auto Learned ?
if Support Generic Syslogs configured as "log Unknown..." , auto Learned still gonna work ?
No way that I know of.
Log unknow will lump all into generic "rule message"
so if i have syslog data source and i want to avoid auto Learned i need to configure Support Generic Syslogs as "do nothing " ?
Did you create a custom ASP parser rule? Did you write the DS config to the reciever and re-roll out policy?
these data source rules are created as part of ASP, autolearnt. What are you trying to achieve?
yes , the ASP rules are working fine
but I'm not understand why i have this DS auto leaned rules
what you mean by "write the DS config to the reciever" ?