This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

First event of each event source

MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2017-12-28 07:55 AM

I have a customer running NW for Log and he needs to know the date and time of the first event saw in the platform for each event source... How can I achieve that?

 

Thanks in advance

Max

0 Likes
2 REPLIES 2

robertofasciani
Beginner
Beginner

‎2018-01-02 05:32 AM

Hello Max,

you should use a report with:

 

Rule Type: NetWitness DB

Name: First event of each event source

Summarize: Custom

Select: event.source, first(time)

Where: event.source exists

Group by: event.source

 

Ciao Roberto

 

PS:

not all events have event.source metadata, If you are interested in all the events saw in the platform, you should use device.ip or device.host instead of  event.source

0 Likes

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to robertofasciani

‎2018-01-02 08:24 AM

Ciao Roberto, thank you so much for your response. I going to try it and I will let you know the results.

Regards,

Max

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.