This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Netwitness Asset database

NatanGrigoriev
Beginner
Beginner

‎2018-10-16 09:40 AM

Hi,

 

Is there an option in netwitness to add data on specific IPs/users that show up in the logs, and add them to some sort of database, that way we can have brief information on specific IP, and not needing to resort to external lists.

 

Example:

The FW reported communication from 10.1.0.154 to a known botnet IP.

If we have the information regarding 10.1.0.154 in the system we can immediately inform the person/department whos workstation it is, or if no data is present, after investigating, adding it for future reference.

Labels:
3 REPLIES 3

VolodymyrRozhni
Beginner
Beginner

‎2018-10-17 06:12 AM

Well, NW is realy need normal asset database interconected with all other services (ESA/RE/Respond) but seems like they still don't have it... anyway, you can try to find workaround and use what they have...

- If you need Assets information easyly accessable in RE/ESA there is not much choice but using custom feeds to enrich parsed logs with new metadata

- for your example i would probably use context hub, although it will require a lot of effort...  and i finding it a bit glitchy and you cant use it anywhere else but in investigation (if there is nothing new in the last version)

0 Likes

MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2018-10-17 06:39 AM

Hey Natan,

There are multiple ways you can add a Tag to some known BAD IPs that you see in Logs & Packets.

 

1. Using an APP rule - check this link 'https://community.rsa.com/docs/DOC-80199' - With this option you can either tag for a Single IP, IP subnet or Regex. But not a list of IP address, there other 02 options below will let you create a list of BAD IP address.

2. Using Custom Feed - 'https://community.rsa.com/docs/DOC-79995'.

3. Using Context hub List - 'https://community.rsa.com/docs/DOC-80791'

 

Hope this helps.

Thanks
Mohammed Mustafa
0 Likes

BijuVasudevan
Employee
Employee

‎2018-10-17 07:31 AM

Hey Natan,

 

You can right click on the meta value in Respond/Event Analysis and add it to the context hub list. Once, you add it next time when you view anything for specific IP, then it will flag in which context hub list it is available.

 

For details how to add to context hub list refer, https://community.rsa.com/docs/DOC-80791

 

You can use the same context hub list, in ESA rule if any alerts is to be generated whenever you see specific meta value in the context hub list

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.