This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Report rules based on alert root events

PavelIusco
Contributor
Contributor

‎2020-06-11 08:06 AM

Hello,

 

Is there a way in which you can generate reports/dashlets based on the root event(s) that caused an alert?

Rules using Respond DB as a source will not help since they are lacking in granularity. I want to generate some rules that will take the username, ip.src and device.id of the alert generators, this is not hard if you have simple rules that generate the alerts but becomes really impractical when you have complex correlation rules (as an example, i would like to report on the user.dst and ip.src from the root events that fired the "Multiple failed logins followed by a successful login" rule).

 

Any suggestion is greatly appreciated,

 

Pavel

0 Likes
3 REPLIES 3

WaleedAhmed
Contributor Contributor
Contributor

‎2020-06-11 08:20 AM

The simplest approach I can think of is forwarding the alert as syslog to a decoder and including, for example, the username, ip.source and device.id in the syslog template.

You will then be able to report on the alert meta while including the username,ip.src and device.id from the alert events.

0 Likes

PavelIusco
Contributor
Contributor
In response to WaleedAhmed

‎2020-06-11 08:43 AM

Thank you for your reply.

I had this option in mind. I was hoping there would be a better way than creating a syslog template for almost each ESA alert, since some alerts require information gathered from multiple events and you will need multiple templates containing, as an example, (shost=${events[0].host_src!" "})  where the events[0] becomes events[1], and, as a consequence, the templates will quickly become hard to manage/maintain.

I will give this option a try and see how feasible it is

0 Likes

PavelIusco
Contributor
Contributor
In response to WaleedAhmed

‎2020-06-15 04:37 AM

Hello,

I have come with a, in my opinion, more universal solution for this problem and i would like your thoughts for this.

I have made ESA forward the sessionid of the root events in the alert and then i am taking those root events, putting them in a new metakey called sessionid.alert. I will, therefore, use reporting engine in order to create a list that has the sessionid's of the root events and use that in order to create further rules.

 

I have also created an Ideea based on this:

 

 

Also, I have changed the name of this question so it better reflects the actual intent.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.