This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA alerts Report

RenatoAbreu
Beginner
Beginner

‎2016-09-22 04:01 PM

Hi all,

 

I am trying to create a report containing the alerts generated by the ESA rules for some range of time (e.g last 5 days).

The idea is to generate a report with the alert informations shown on the picture below (Severity, Alert Name, Count, etc).Alert Summary.PNG

 

Could anybody help me with this?

 

Thanks in advance.

15 REPLIES 15

JoeGumke
Beginner
Beginner

‎2016-09-22 04:34 PM

The only resolution for your ask that i'm aware of is to setup syslog notification for EACH and every alert and point to your syslog receiver on the alerts within the ESA, check the output notifications for syslog. Then take that reingestion and create a report from that information.

MihaMesojedec
Employee
Employee

‎2016-09-23 03:35 AM

What Joe explained is currently only option you have right now.

10.6.2 should include option to create report on ESA (queries ESA).

 

Thanks,

Miha

RenatoAbreu
Beginner
Beginner

‎2016-09-23 08:09 AM

Thank you Joe and Miha.

 

I understood. I will try the Joe's resolution until the 10.6.2 release comes out.

 

Thank you very much.

0 Likes

MarcinGryga
Beginner
Beginner
In response to MihaMesojedec

‎2016-09-23 08:09 AM

Miha,

 

Do you know release date for 10.6.2 ? My customers are also asking for this feature.

0 Likes

JohnTyson1
Beginner
Beginner
In response to MihaMesojedec

‎2017-03-29 07:34 PM

Is this built into 10.6.2.0?  Can you point me to a link?

0 Likes

JohnTyson1
Beginner
Beginner
In response to JohnTyson1

‎2017-03-29 08:21 PM

I think I found what I was looking for here RSA Security Analytics Reporting Guide starting on pg 114.

There must be some config issue where the reports app is not able to access the IMDB.

 

pastedImage_2.png

0 Likes

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-04-04 05:37 PM

John,

 

The IMDB is for connecting to Envision databases not for connecting to the ESA database to create reports. I know there was mention that 10.6.2 allows the creation of reports from ESA's Summary page but as of 10.6.2.2 you still cannot create reports directly from the Summary page data. The only way to do reports is to feed the alerts back into the Log Decoder, via syslog as the alerts happen, and use the Reporting Engine against the normal Netwitness Services (Concentrator/Broker).

0 Likes

MichaelPochan
Beginner
Beginner
In response to JohnKisner

‎2017-04-05 03:05 PM

There is a plan though for future versions to create reports off of ESA alerts though? The big use case would be creating reports of the domains detected through the context hub's/ESA's automated C&C detection process. 

0 Likes

EricPartington
Employee
Employee

‎2017-04-05 05:47 PM

I'm pretty sure you can report off both the ESA( Alert) and the IM (incident) tables in 10.6.2.2. 

IPDB is the envision database

 

currently the query that you could use to get prett close to that summary image in ESA (alert summary) is the following

summarize: custom

from: alert

 

select alert.name, alert.severity,count(alert.numEvents)

where alert.name exists

select your order by column

 

some things to note:

  • the timestamp shown in the UI reflects your UTC offset, the report does not (it shows UTC times)
  • the severity is a string in the alert summary, it is a integer in the report
  • for some reason your count  column needs to be at the end of the select string or you get a weird error about string offset -1
  • including the last event time seems to mess up the counts as it creates a line item for each unique timestamp (you cant have two aggregates in the same statement either)

2017-04-05_17h14_25.png

 

 

 

2017-04-05_17h46_03.png

© 2022 RSA Security LLC or its affiliates. All rights reserved.