NetWitness Community

RomanZeltser · ‎2017-05-18

Most of us are trying to add more event sources to get better picture of what is going on on the wire. I have the opposite problem: I have too many events coming from Windows and Cisco parsers. This problem is causing the Alarm (see attachment 1). In fact, based on some research and browsing through the system, the volume of data is about 6-8 times bigger than allowed volume!

Just to show you the source of the problem (Cisco parser) that delivers plenty of meaningless data, see the attachment 2.

Similar stream of meaningless data comes from Windows devices.

The question is how to decrease the volume of useless data on the Netwitness side without editing the parsers (as it may be very intrusive)? What do you do if you need to filter some of the data down to analyze the only meaningful ones?

AndreasFunk · ‎2017-05-19

Hi Roman,

you can filter these events easily with an app rule on the log decoder. Please find an example below. You can define rules like this for all the data that is meaningless to you.

RomanZeltser · ‎2017-05-19

Andeas, thank you.

What kind of editor do you use? When I use my Rule Editor I see the following:

===============

Roman Zeltser

Sr. IM Security Analyst

CDR Associates

307 International Circle

Suite 300

Hunt Valley, MD 21030

P: 410-560-2269 x.1261

rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>

DavidWaugh1 · ‎2017-05-19