Thanks Eric, very cool and helpful! So the use case I am doing, is levering an ESA rule that is pretty much building a list anytime powershell.exe is run (not sure if this covers it while run in memory with say powerpick or something). I simply wanted to create a report of the user/service account/machines that are evoking powershell for validation purposes.
There may be a better way, but this is allowing me to get some practical exp. on these app. interconnections.
I am trying to use the suggested method to use IMDB as a data source to export report for the alerts. However, it doesn't allow me to choose the option "from". I see that meta section keeps loading. Am I missing out something?
As per your instruction I was trying to create the same report via "NetWitness" Rules type, when I am creating the report then no any "from: alert" field is coming , I have left this and taken all remaining field. when I am testing this report getting message as below.
Error occurred while fetching data from source 'SA - Broker[127.0.0.1]'. Error details : Error occurred while fetching data from devices connected to 'SA - Broker[127.0.0.1]' . Please check logs for more details.