This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to effectively retroactively hunt IOCs

Anonymous
Not applicable

‎2021-12-22 09:50 PM

I've been given a list of IOCs to go hunting on. I can obviously add those to feed/list to alert and generate meta if in the future they are seen, but what's the best way to take those IOCs (about 50 at this stage) and retroactively go back through stored data and search for them?

0 Likes
3 REPLIES 3

drewjc
Occasional Contributor
Occasional Contributor

‎2022-04-04 04:58 PM

Hi Jeremy,

 

In my experience the reporting engine is the only efficient way to perform historic searching like you are describing. Essentially you'd add your IOCs to a list in the reporting engine and then create your matching rule and develop/run a report. The alternative would be using the REST API and scripting out a search that incrementally searches previous chunks of time going as far back as you need. 

0 Likes

Anonymous
Not applicable
In response to drewjc

‎2022-04-07 07:33 PM

Thanks for your reply. I was thinking along the same lines. 

And in thinking about it, I suppose that if I wanted to bring something to light to action immediately, I could have the reporting engine generate it's output as meta and then an ESA alert on that. Unless I'm remembering the capabilities of the reporting engine incorrectly.

drewjc
Occasional Contributor
Occasional Contributor
In response to Anonymous

‎2022-04-08 06:02 PM

Not sure if the reporting engine supports ESA notification based on generated reports, but at a minimum you could create a feed and ESA alert for matches of traffic being currently processed.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.