Hello Guys,
In RSA Net witness 10.6.5 we can able to classify the both DC & DR alert & we can able to see the both DC& DR alert in two different tab's in alert module , But however in RSA Netwitness 11.0 I cant able to see two differentiate tab for DC& DR in Respond module--> Alert.
Kindly help/suggest on the same.
Snap of 10.6.5:
Snap of 11.0:
Thanks,
Suresh K
Hello Joshua,
If we configured DC(Primary NW) & DR(Secondary NW) in one ESA module in NW we can able to see both classified DC&DR alert previously in V10.6.5 NW in alert module.
Below snap for your reference:
Can you please be more specific / include more details about what you are trying to do? What do you mean by "DC & DR alerts”? How exactly did these alerts look in 10.6.5 (raw alert output)?-- I want to classify DC& DR in alert module .
Kindly help/suggest me how to classify DC& DR in alert module.
Thanks,
Suresh K
Hi Suresh,
The Respond Server in 11.x does not currently have a way to view only alerts coming specific ESA sources. You can view a summary of each ESA service's enabled rules, last detection times, and other information at Configure à ESA Rules à Services:
The actual alerts, however, are only viewable in Respond, and as I noted above, there is not currently any method to view, sort, or filter alerts that are coming from different ESAs.
With that said, a potential workaround for your use case might be to aggregate alerts into incidents based on which ESA they are coming from. If you'd like to enable this, you can try the following steps:
- On each of your ESA's, find the file: /var/netwitness/esa/freemarker/message_bus.ftl
- Modify this file by adding:
- "source_esa": "DR ESA" , or
- "source_esa": "Primary ESA" , or
- "source_esa": "any_value_you_want"
- For example, on my Secondary ESA, my message_bus.ftl file now looks like:
<#include "macros.ftl">
{"events": <@json_value_of events/>, "engineUri": "${engineUri}", "instance_id": "${instance_id}", "detail": "${statement}", "source_esa": "Secondary ESA" }
- This produces a raw alert like this:
- Do this on each of your ESA's, giving them both a different "source_esa” value
- Next, on your Admin Server, locate the file "/var/netwitness/respond-server/data/aggregation_rule_schema.json”
- Modify this file by adding:
{
"value": "originalAlert.source_esa",
"name": "Source ESA",
"type": "textfield",
"operators": [0, 1, 8, 9, 10, 11, 12, 13],
"groupBy": true
},
- For example, I added that text at the top of my aggregation_rule_schema.json file, which looks like:
- After restarting my Respond Server, I can now select "Source ESA” within my Aggregation Rules as a matchCondition or groupBy value (or both):
- ….which creates Incidents like this:
