1 2 Previous Next 16 Replies Latest reply on Dec 21, 2016 5:02 PM by andy777

    ds rules

    izik

      hi

       

      can someone please explain me what is the data source rules ?

      and why i have so many ds rules on  1 data source ?

       

      thanks

        • 1. Re: ds rules
          infoseced

          Data Source rules are rules specific to a data source type.  There are three primary types that will typically generate a lot of data source rules, these are "auto Learned" for the SIEM.

           

          For windows event log's they will get parsed and added as data source rules.  E.G. If you have a custom service creating events in the security event log, and you are gathering the security event log.

           

          Then Vulnerability data sources (Rapid7, Nessus, etc) will generate datasource rules from the scan results data.

           

          Then lastly you will have data source rules auto generated by data sources that are syslog sources where you specified in the data source definition option "Support Generic Syslogs-Process as generic syslog"  this typically bombs out the data source rules if you leave this option on.  As it will instantiate a DS rule per line of syslog.  Only use the "parse as generic syslog" TEMPORARILY.  Then write a regex ASP parser rule and, ensure to enable that new ASP rule in the Policy you have associated with the "parse as generic syslog" data source, and then set that data source to "Support Generic Syslogs-Do nothing" then roll out policy.

          1 of 1 people found this helpful
          • 2. Re: ds rules
            izik

            hi

             

            can i disable auto Learned ?

             

            if Support Generic Syslogs configured as "log Unknown..." , auto Learned still gonna work ?

            • 3. Re: ds rules
              infoseced

              No way that I know of.

               

              Log unknow will lump all into generic "rule message"

              • 4. Re: ds rules
                izik

                so if i have syslog data source and i want to avoid auto Learned i need to configure Support Generic Syslogs as "do nothing " ?

                • 5. Re: ds rules
                  infoseced

                  Yes

                  • 6. Re: ds rules
                    izik

                    hi

                    i think it is not working ..... take alook

                    what do you  think ?

                    this is after i change to "do nothing" and delete all the auto learned rules (as you can see its pop up again)

                    33.JPG

                    • 7. Re: ds rules
                      infoseced

                      Did you create a custom ASP parser rule?  Did you write the DS config to the reciever and re-roll out policy?

                      • 8. Re: ds rules
                        sssyyy

                        these data source rules are created as part of ASP, autolearnt. What are you trying to achieve?

                        • 9. Re: ds rules
                          izik

                          yes , the ASP rules are working fine

                          but I'm not understand why i have this DS auto leaned rules

                           

                          what you mean by "write the DS config to the reciever" ?

                           

                          thanks

                          1 2 Previous Next