This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA alerts Report

RenatoAbreu
Beginner
Beginner

‎2016-09-22 04:01 PM

Hi all,

 

I am trying to create a report containing the alerts generated by the ESA rules for some range of time (e.g last 5 days).

The idea is to generate a report with the alert informations shown on the picture below (Severity, Alert Name, Count, etc).Alert Summary.PNG

 

Could anybody help me with this?

 

Thanks in advance.

15 REPLIES 15

JohnTyson1
Beginner
Beginner
In response to EricPartington

‎2017-04-05 06:33 PM

Thanks Eric, very cool and helpful!  So the use case I am doing, is levering an ESA rule that is pretty much building a list anytime powershell.exe is run (not sure if this covers it while run in memory with say powerpick or something).  I simply wanted to create a report of the user/service account/machines that are evoking powershell for validation purposes.

There may be a better way, but this is allowing me to get some practical exp. on these app. interconnections.

0 Likes

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to EricPartington

‎2017-04-06 12:14 PM

I have used the IMDB as data source on the Reporting Engine, but that only retrieve the "columns" of the alert or incident... there is any way to retrieve the related events of the alert?

0 Likes

UtsavSejpal
Beginner
Beginner
In response to EricPartington

‎2017-12-07 09:53 PM

Dear All,

 

I am trying to use the suggested method to use IMDB as a data source to export report for the alerts. However, it doesn't allow me to choose the option "from". I see that meta section keeps loading. Am I missing out something?

 

pastedImage_1.png

 

Thanks,

Utsav Sejpal

0 Likes

sachinsahu
Beginner
Beginner
In response to EricPartington

‎2018-01-31 11:00 PM

Hi Eric,

 

As per your instruction I was trying to create the same report via "NetWitness" Rules type, when I am creating the report then no any "from: alert" field is coming , I have left this and taken all remaining field. when I am testing this report getting message as below.

 

 

Error occurred while fetching data from source 'SA - Broker[127.0.0.1]'. Error details : Error occurred while fetching data from devices connected to 'SA - Broker[127.0.0.1]' . Please check logs for more details.

 

 

 

Kindly Help me for same.

 

Thanks

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to UtsavSejpal

‎2018-02-01 12:36 PM

Nothing appears in the "From:" dropdown menu?

 

respond_rule.png

 

Have you added Incident Management as a Data Source in your Reporting Engine configuration?

 

My meta section loads once I select either alert or incident in the dropdown.


Mr. Mongo
0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to sachinsahu

‎2018-02-01 12:38 PM

Your rule type needs to be IMDB (Incident Management Database), not NWDB (NetWitness Database).


Mr. Mongo
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.