Custom rule to detect specific payload and trigger alarm


Hello All,

I would like to have a custom rule and detection should be based on payload. Example: if there is ABC in payload, it should trigger an alarm. Any idea where i can configure this? I couldnt see payload option in directives. Please guide.


  • I dont think the open source version can do this. You will probably have to write a custom plugin.
  • We are currently using USM, paid version. 
    This behavior is the same between OSSIM and USM here. Directives correlate on indexed event data. If the data is in userdataX fields, or any of the other indexed fields, then we can use that data in a directive.

    If we are not referring to data in an indexed field, then this would need to be accomplished via plugin customization.
  • In the SIEM, there is option of Payload in drop down. This means that Payload is indexed? so shouldnt it pick up anything that is there in the payload??

    Further, from where can we look at the list of all the indexed fields?

