We would like to know how the multi-tenant model works for alerts and incidents in RSA Netwitness 11.3. Lets we have 2 sites in different geographical location, We want to see the alerts and incidents separately. Is there any options please let us know.
The only issue with using decoder ID (did) is that it does not exist on the decoder, so you can't use a feed or app rule to tag using that metakey, as it is only created when a concentrator aggregates from the decoder (the concentrator creates the did meta). you could put a special app rule that created and ID that id unique to on every decoder, or at least on each sites decoders.
Massimiliano Faudarole In RSA Netwitness 11.4 there is a new component called "Analyst UI". I have a below query.
As per my original post we are in the state to achive multi-tenent in alerts and incident data.
1) When we tried this component "Analyst UI" in our test environment. It contains dependent services like Broker, Reporting Engine, Respond Server, Investigation Server. Is there any option to seperate Alerts and Incidents per customer using this component ?
2) I believe that all the incident data's are storing in the respond server in this case Netwitness Server has the inbuilt respond server (Where currently all our incident data are storing). Is there any option to store incident data separately like customer A data in Netwitness Respond Server and Customer B data in Analyst UI Respond Server.