1 of 1 people found this helpful
Rules (including the built in Templates) live under Build -> Rules in the web console.
I don't see any existing rules relating to Broadcast Poisoning specifically, so a couple of things:
1) You will want to know/keep in mind that rules for the LEM are event driven.
2) For networking nodes the information is going to be sent to the LEM via a Syslog or SNMP trap.
If you have a device in your environment that will log an event and send it to the LEM about Broadcast Poisoning it should be an easy thing to help set up the rule. Do you have this data already and can find it in nDepth?
If it's not event driven, what information are you looking for to determine this situation exists in your environment?
Depending on what you're trying to monitor for in the first place, you could find other related issues by using existing Template rules, for example the Suspicious DNS Traffic rule could help you capture machines that are talking to an unapproved DNS server which could be one of the components of an attack like this.