NetWitness Community

NijoDavid · ‎2018-12-11

Help me out to get the list of newly integrated devices from RSA SA. I have a VLC in my environment, If in case any devices are integrated to the VLC I should get an alert. Also if this could be brought into report that would also be fine.

NijoDavid · ‎2018-12-18

it is there I have confirmed the same

NijoDavid · ‎2018-12-19

We have confirmed the same.

NijoDavid · ‎2018-12-19

Esper deployment of module "New event source reporting to SA" (id=5c13587845ce02f457b526d0(default)) failed. Reason: Deployment failed in module 'whatsNewDeviceIP' in module url '5c13587845ce02f457b526d0' in expression '//store in the window @Name('Insert DeviceIP') INS...(313 chars)' : Error starting statement: Event type named 'whatsNewDeviceIP' has already been declared with differing column name or type information: Type by name 'whatsNewDeviceIP' in property 'alias_host' expected class [Ljava.lang.String; but receives class java.lang.String [//store in the window
@Name('Insert DeviceIP')
INSERT INTO whatsNewDeviceIP
SELECT device_ip, device_host, device_type, lc_cid, did, device_class, device_group ,cast(alias_host, string) as alias_host, time, medium FROM Event(device_ip IS NOT NULL AND device_ip NOT IN (SELECT device_ip FROM whatsNewDeviceIP))]

Another error I am receiving after that. Tried to change the name ,even after that the same is not working

EricPartington · ‎2018-12-19

Here is the same rule with the lc_cid removed to see if it deploys

module whatsNewDeviceIP;

/*

Rule Name: What's New for deviceIP

Author: Eric Partington

Modified: 2018-12-11

version: 3

*/

//Update learning phase to desired number of days

@Name('Named Window - learningWindowDeviceIP')

//@RSAPersist

CREATE VARIABLE integer lPhaseInDaysDeviceIP = 5;

CREATE WINDOW lPhaseDeviceIP.win:length(1) (learningPhase long);

INSERT INTO lPhaseDeviceIP

SELECT current_timestamp.plus(lPhaseInDaysDeviceIP days) as learningPhase FROM PATTERN[Event];

//Window to Store New Data

@Name('Named Window - whatsNewDeviceIP')

//testing this should be disabled to reset the window on a new push of the rule

@RSAPersist(serialization=Serialization.JSON)

CREATE WINDOW whatsNewDeviceIP.win:keepall().std:unique(device_ip) (device_ip string, device_host string, device_type string, did string, device_class string, device_group string, alias_host string, time long, medium string);

//store in the window

@Name('Insert DeviceIP')

INSERT INTO whatsNewDeviceIP

SELECT device_ip, device_host, device_type, did, device_class, device_group ,cast(alias_host, string) as alias_host, time, medium FROM Event(device_ip IS NOT NULL AND device_ip NOT IN (SELECT device_ip FROM whatsNewDeviceIP));

//compare to client stored in the window

@RSAAlert

SELECT device_ip, device_host, device_type, did, device_class, device_group, cast(alias_host, string) as alias_host, time, medium

FROM Event(device_ip NOT IN (SELECT device_ip FROM whatsNewDeviceIP) AND device_ip IS NOT NULL

AND current_timestamp > (SELECT learningPhase FROM lPhaseDeviceIP))

OUTPUT ALL EVERY 1 hours;

NijoDavid · ‎2018-12-20

Hi Eric,

This got deployed in our ESA successfully. Waiting for the alerts to pop up.Once its done I will confirm you.

EricPartington · ‎2018-12-20

It will wait for 5 days to learn what is logging then alert on anything new after 5 days

NijoDavid · ‎2018-12-26

Hi Eric , This is working. I could see that, after learning period if some devices that are already integrated and was not reporting starts reporting to SIEM, it also triggers an alert. Is there any way to stop that??

EricPartington · ‎2019-01-02

The rule ‘learns' for the period of time you set in the rule and whatever it sees in that period of time is added to the list of known. After that anything new that it has not seen will create an alert.

You can restart the rule with a longer learning period to catch more devices that log infrequently or change the rule logic to not alert on certain types. Other than that the rule is working as designed.

Eric

NetWitness Community

Alert for new device integration to VLC