This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Report from IPDB

Anonymous
Not applicable

‎2014-03-21 04:12 AM

Hello,

 

Somebody can help me retrieve events from IPDB located at RSA enVision ES? I read and do all what I find here: https://sadocs.emc.com/0_en-us/095_10.3_User_Guide/13_Device_and_Service_Configuration/IPDB_Extractor_Service_Configurat…

 

I retrieve devicelist, but can't rectrieve data (events). If I create simpe rule, for example "select ip.src, ip.dst" and "where event.cat.name like '%'" and event source - my devicelist - I receive blank report. I try written any terms in where field and all time I receive blank report.

0 Likes
21 REPLIES 21

RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2014-04-07 08:49 AM

Hi,

Can you show the rule that does work with ES? I connected ES+DAS but no luck with reports on IPDB data (DAS is not supported but can be used you just won't get rsa support on that)

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-07 09:02 AM

SQL select in ENVISION:

 

EventCategoryName = 'User.Activity.Failed Logins' AND Process = 'NtLmSsp'

 

Return me 7 items.

 

How can see this select in SA?

 

Where: event.cat.name = 'User.Activity.Failed Logins' AND process = 'NtLmSsp'

 

Not return me result, I see "No Values Available For The Rule."

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-07 09:12 AM

what's your timezone settings? can you share your rule and rule testing screenshot?

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-07 10:27 AM

I have IPDB datasource and devicelist:

 

Image 19.jpg

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-07 10:35 AM

last issue i had also, i can get device list bt not able to events. but that one was with multiple storages.

can share your rule?

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-07 10:45 AM

My timezone at appliance - UTC+4 (MSK), in UI - Profile -> Prefference -> Browser Time Zone: Europe/Moscow (GMT+04:00).

Rulу and result testsing attached.Image 20.jpg

Image 21.jpg

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-08 11:30 AM

can you remove the where statment and see anything? or increase the time window?

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-10 01:45 AM

This is not solve problem and give equal result.

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-11 11:17 AM

now i've no idea already. Have you openeed support?

I  had issue with multiple storage as well, case opened with support two weeks already but no solution.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.