Template E-Mail Retrieve a specific word from InternalNewToolData.ExtraneousInfo

Lio23

Hi team, 

We have some logs coming in from Stormshield and I want to create Rules off of the ones that were generated by specific firewall rules. 
I would like to recover a specific word instead of the entire content.
For example: we have a block list of IP addresses that attempt to access over ssh, the firewall rule block proto=ssh .
These logs are fed into SEM and I can see the text that contains the attacker source ip “modsrc=XXX.XXXX.XXX.XXX” in the 
ExtraneousInfo field of the ICMPTrafficAudit event types.
However, when I create a rule, I don't see an option for "Contains". The objective is to create and retrieve only words “modsrc=XXX.XXXX.XXX.XXX” which 
contains the Source IP address which appear in the Information field instead of the whole content, is this possible?

steve10

I don't know about your setup but I would not do it that way.  I have our firewall set to detect brute force logons and I block the attacker using the firewalls capabilities.  I will still look at the alerts on the SEM for the attack and I may follow up with the ISP hosting the attacker if it is Digital Ocean or another US based ISP/server hosting firm.  If you wish to use your method you could always have an alert sent and parse that with powershell or some other automation tool to extract the IP from the content. probably have to setup a email box just for those, we do that for items that need ticket opened.  The SEM sends an email to Deskpro and the body of the email is extracted for the ticket notes. (outage, failure of service, etc.)