NetWitness Community

Anonymous · ‎2013-12-05

I see a bunch of new feeds, some are for the log collector which makes sense to have updated configs. There are others that were added on Nov 21st 2013. They are all tagged as Other and seem a lot like alerts or correlation rules.

I am currently running 10.2 sp2. Are these rules for the new feature that overtook CEP? Otherwise they are not saying I can deploy them on my network.

Just curious thanks!

RSAAdmin · ‎2013-12-05

You are correct Sean. Type shouldn't be set to "other", I'll get with the team and see what the issue is.

View solution in original post

Anonymous · ‎2013-12-05

Do you have a few specific examples on the feeds? If so I can try to get the right person to help out.

-Seth

Anonymous · ‎2013-12-05

Those are a few of them, the few that really caught my eye because I was going to try and create them myself was User account created, logged in, and deleted within an hour, audit log cleared and Detect Port Knocking log. Again I am on 10.2 SP2 no I do not have the new ESA.

Anonymous · ‎2013-12-05

I might have found my answer, I clicked download and the extension was .esaa, I am going to assume that is for the ESA.

RSAAdmin · ‎2013-12-05

You are correct Sean. Type shouldn't be set to "other", I'll get with the team and see what the issue is.

Anonymous · ‎2013-12-05

Thanks! I went ahead and filtered by RSA Event Stream Analysis Alert, they all showed up but they are still tagged for me as other in the type column. If you need any other testing, I will be happy to help.

NetWitness Community

New Live Feeds