• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Filter out false positive by whats in payload and isn't parsed

MattyIceMattyIce

I wanted to know how to make an exception to a rule by filtering whats in the payload. For instance, if the phrase "attack blocked" was seen in the payload, or if I had a series of numbers such as in a Barracuda Web Filter log, 2 1 0 1 1. I would want the alert to be suppressed when there is either an "attack blocked" seen or when there is a "1" in the 4th position. 

Neither if these are currently parsed out under any of the UserData fields. In theory, I would like for these to be populated in the UserData fields and use those to filter out the false positives.

Any advice would be great. Thank you.
Tagged:

Share post:

Answers

  • I wasnt sure how to edit the field so writing down there. 

    My main focus is just where do I go to while in the AlienVault console to edit a UserData field. 
  • Mattylce,  you can not modify the parsing from inside the console.  You can see what event IDs are being parsed in the Threat Detection->Data Source -> barracuda-webfilter -> details.

    To add this level of parsing, you will need to modify the plugin to parse the data and create an event ID specific to your condition and then use Policy to bypass risk assessment or add the data into the userdata field and then create a directive to suppress an alarm based on lower the risk value.



Sign In or Register to comment.