Recently, a question came from a customer who wanted to know if it was possible to alert when a new device.ip started logging to RSA NetWitness. Thinking about it for a second it seemed like a good test of a new template that I was testing for ESA.
The rule, located here, does just that:
Add this rule in ESA in the advanced editor to create the rule.
It works as follows:
A window of a learning phase is created with the timer in the rule (1 day default)
In that learning window new device.ip + device.type are added to the window to create a known list of devices.
Once the learning window has expired the system alerts on any new combinations of device.ip and device.type that is seen after that.
Customizations that you possibly want to make would include changing the learning window timer from 1 day to longer (5 days potentially)
The data is kept in a named window and persisted to a JSON file on the ESA disk system in case there are restarts or service changes.
Alerts are created in ESA/Respond that can then be assigned work to validate that the new system was on-boarded properly and configured appropriately before closing.
