NetWitness Community

VishamRawat · ‎2019-02-11

I don't find the destination username metakey available for grouping alerts with incidents.

Many use cases, for instance 'Multiple login failures followed by a successful login' or 'Continuous login failures', etc. have users mapped uniquely to the destination user metakey.

This makes this metakey important for grouping alerts of a particular type or name.

Yet, this option is missing within an incident creation template.

Is there any way to group alerts to an incident by destination user?

Also, device ip is also not available as an option for such groupings.

JoshRandall · ‎2019-02-11

Hi Visham,

What version of NetWitness are you running?

In version 11.x, both those meta keys are available OOTB as grouping options.

Within the Group By dropdown menu in 11.x, the destination user is labeled as Destination User Account and the Device IP is labeled as Detector IP Address:

Additionally, you can add any other arbitrary, custom meta keys for aggregation and/or grouping - guide here: https://community.rsa.com/community/products/netwitness/blog/2018/06/21/creating-custom-group-by-and-match-condition-fields-for-respond-server

Mr. Mongo

VishamRawat · ‎2019-02-12

Hi Joshua,

I'm running RSA SA 10.6.4.1.

I can see Detector IP Address, but not Destination User Account.

Also, do you have the guide to add these custom metakeys for Group By in 10.x?

NaushadKasu1 · ‎2019-02-19

https://community.rsa.com/docs/DOC-86173

EricPartington · ‎2019-02-21

Also consider planning for upgrade to the latest 10.6 version so that you are supported as long as you can be

version

10.6.4.1

Product Version Life Cycle for RSA NetWitness Logs & Network

NetWitness Community

Incident Grouping with Destination User (Metakey)