This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Custom Dashboards

RSAAdmin
Beginner
Beginner

‎2014-12-14 06:20 AM

I’m trying to create custom dashboard for Business staff. Has anyone come across these scenarios?

  1. Any template for business specific dashboards
  2. Replacing output value of a query with a custom value. ( for example if the ip is in 10.1.0.0/16 range, replace the ip value with “HQ building”
  3. For pie charts is it possible to limit the values to a minimum (e.g. ‘5’) in dashboard
  4. How to replicate the changes made in dashboard across all other users who have access to the same.
  5. Can the option “regex” in rules can be tweaked to map an IP to a building, staff ID to a user etc. (I tried but it’s not giving the expected results)
  6. Geo-map location, does this require internet access to google maps from SA box or the connection is made locally from the PC which it is run

 

Just started using Security Analytics and I'm trying to get more insight into reporting part.

RSA Security Analytics for Logs 10.4.0.2

 

Thanks

0 Likes
4 REPLIES 4

Anonymous
Not applicable

‎2014-12-14 11:58 AM

A.  No templates that I am familiar with, but if you have ideas about what you would like in there, and we have meta for it, then it should be relatively straight forward.

 

B.  I typically use Feeds to map IP ranges to business specific data.

 

C.  I believe it is only a maximum setting...not a minimum.

 

D.  Each user is specific at this time, but you can export the Dashboard and import it for each user.  Agreed, this is something we can probably do a better job with moving forward and I will request this be added.

 

E.  See feed option

 

F.  Geo-Location is actually done with the geo-ip related dat files in /etc/netwitness/ng directory.

 

I am attaching a feed example.  It works best with packets.  For logs, you would use 2 feeds with meta callbacks for ip.src and ip.dst respectively.

network 2.zip

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-12-16 02:44 AM

Thanks, That was really helpful.

 

I have a query regarding feeds. If we input a list of IPs and their corresponding locations, will that be used for all IP fields like ip.src, ip.dst, ip.addr across all device types?

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-12-16 06:22 AM

No. Just ip.src or ip.dst. However, you can create a feed using just about any meta key. You would use a meta callback in those cases where it wasn't ip.src or ip.dst.

 

So, the csv might look the same but the xml might look at ip.addr instead.

 

Chris

 

Sent from my iPhone

RSAAdmin
Beginner
Beginner

‎2014-12-21 05:29 AM

Is it possible to embed a map showing attack geolocations in dashboard ?

 

Also i'm aware about Geolocation lookup under investigation tab, however the google earth plugin is not working. tried in 3 different PCs (Windows/Apple)

 

Do anyone have a screenshot of geolocation map, just wnat to see how it looks like so that i can decide if its worth to proceed

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.