This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

reporting engine from IMDB and event data access?

VladimirPrevin
Beginner
Beginner

‎2018-07-11 03:10 AM

hello,

 

wondering if for SA RE IMDB queries - is there any way to access event data in IMDB queries via RE? [when querying the alert collection]

e.g. alert.name,alert.events[0].threat_desc

or is it only the IM enriched groupby_
properties e.g.

alert.groupby_destination_country

 

 

{
"success": true,
"data": {
"destination_country": ["Australia"],
"groupby_type": "Log",
"user_summary": [""],
"groupby_domain": "blablalbalblabla",
"source": "Event Stream Analysis",
"type": ["Log"],
"groupby_source_country": "Romania",
"groupby_destination_country": "Australia",
"groupby_threat_source": "",
"signature_id": "xxxxx",
"groupby_filename": "",
"groupby_data_hash": "",
"groupby_event_desc": "",
"groupby_destination_ip": "alalalalala",
"groupby_threat_desc": "we have a custom group by group ignore this",
"groupby_source_ip": "snip",
"groupby_source_username": "",
"groupby_detector_ip": "xx.xx.xx.xx",
"events": [{

....."threat_desc":.......

0 Likes
2 REPLIES 2

VladimirPrevin
Beginner
Beginner

‎2018-07-11 03:12 AM

then again, maybe it's a bad idea and the normalization scripts are the place to take out any meta to access ...hmmm 

0 Likes

EricPartington
Employee
Employee

‎2018-07-11 08:29 AM

No, I am not aware of any way to access that event data from RE in IM database

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.