This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Reporting on Alerts (data)

VishamRawat
Beginner
Beginner

‎2018-08-23 08:36 AM

Is there a way to report on alerts, and the data contained within?

 

For example, I have several alerts for traffic to XYZ nation. Can I create a report on such alerts, listing all the variables within?

Or do I have to build the report manually, define its logic again, and then run it separately?

0 Likes
5 REPLIES 5

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-08-23 11:28 AM

Here is what I have done previously..

 

I have created a custom alerting template, then I add a syslog output to the rule and send the syslogs using the custom template into the log decoder.  

 

I also add the enclosed parser into the log decoder.  You will have a new device type called "netwitness_alerts"

 

Once you add this you will have a new meta set related to alerts that have fired.

 

You must add in an exclusion to all esa rules to exclude out the "netwitness_alerts" device types or you could end up in a circular loop.

 

Let me know if you have any other questions

 

Dave

 

 

 

 

Custom template -->

 

<#include "macros.ftl"/>
ESA|RSA|Security Analytics ESA|10.6.2|Alert|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as x> sessionid=${x.sessionid!" "} service=${x.service!" "} protocol=${x.ip_proto!" "} saddr=${x.ip_src!" "} sport=${x.tcp_srcport!" "} hostname=<#if x.alias_host?has_content><@value_of x.alias_host /></#if> daddr=${x.ip_dst!" "} dport=${x.tcp_dstport!" "} duser=${x.user_dst!" "} suser=${x.user_src!" "} fname=${x.filename!" "} filePath=${x.directory!" "}  dport=${x.udp_dstport!" "} action=${x.action!" "} eventdesc=${x.event_desc!" "} eventcomputer=${x.event_computer!" "} domain=${x.domain!" "} messageID=${x.msg_id!" "} group=${x.group!" "} ec.theme=${x.ec_theme!" "} ec.outcome=${x.ec_outcome!" "} ec.subject=${x.ec_subject!" "} ec.activity=${x.ec_activity!" "}</#list>  

 

v20_netwitness_alertsmsg.xml file contents ->

 

<?xml version="1.0" encoding="UTF-8"?>
<DEVICEMESSAGES
name="netwitness_alerts"
displayname="netwitnes_alerts"
group="System"
type="7104">
<VERSION
xml="1"
revision="1"
device="2.0"/>
<HEADER
id1="HDR1"
id2="HDR1"
content="&lt;hmonth&gt;&lt;hday&gt;&lt;htime&gt;&lt;hhost&gt;ESA|RSA|&lt;hproduct&gt;|&lt;hversion&gt;|&lt;messageid&gt;|&lt;!payload:hproduct&gt;"/>
<MESSAGE
id1="Alert"
id2="Alert"
content="&lt;product&gt;|&lt;version&gt;|Alert|&lt;application&gt;|&lt;rulename&gt;|&lt;level&gt;|rt=&lt;event_time_string&gt;id=&lt;index&gt;source=&lt;event_source&gt;sessionid=&lt;sessionid&gt;service=&lt;service&gt;protocol=&lt;protocol&gt;saddr=&lt;saddr&gt;sport=&lt;sport&gt;hostname=&lt;hostname&gt;daddr=&lt;daddr&gt;dport=&lt;dport&gt;duser=&lt;username&gt;suser=&lt;c_username&gt;fname=&lt;filename&gt;filePath=&lt;file_path&gt;dport=&lt;dport&gt;action=&lt;action&gt;eventdesc=&lt;event_description&gt;eventcomputer=&lt;event_computer&gt;domain=&lt;domain&gt;messageID=&lt;id1&gt;group=&lt;group&gt;ec.theme=&lt;ec_theme&gt;ec.outcome=&lt;ec_outcome&gt;ec.subject=&lt;ec_subject&gt;ec.activity=&lt;ec_activity&gt;"/>
</DEVICEMESSAGES>

 

 

netwitness_alerts.ini file contents->

 

DatabaseName=netwitness_alerts
DisplayName=netwitnes_alerts
DeviceGroup=System
DeviceType=7104

VishamRawat
Beginner
Beginner
In response to DaveGlover

‎2018-08-28 06:38 AM

Hi Dave,

 

Thanks for the method - never really thought of it this way.

 

Quick question though - is there a way to upload the .xml and .ini files to SA, without the use of the Log Parser Tool? Or will I have to import the parser file into the tool and then create a .envision package for upload and deployment?

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to VishamRawat

‎2018-08-30 04:58 PM

You can upload the .xml and .ini files directly to Log Decoders at /etc/netwitness/ng/envision/etc/devices/<parser_name>, where <parser_name> is the same as the device.type meta value.

 

If you are using Dave's example from above, the <parser_name> would be netwitness_alerts.


Mr. Mongo

VishamRawat
Beginner
Beginner
In response to DaveGlover

‎2018-08-31 11:53 AM

Dave,

 

Can you maybe elaborate on this - You must add in an exclusion to all esa rules to exclude out the "netwitness_alerts" device types or you could end up in a circular loop.

 

I'm not quite sure what you mean here?

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to VishamRawat

‎2018-08-31 12:20 PM

Visham

 

OK lets follow the following work flow:

 

You have an alert rule which looks for connections to address 2.2.2.2.

 

Alert when ip.dst=2.2.2.2

 

Now one of your people connected to 2.2.2.2.

 

The alert fires and sends a syslog to the decoder with the following meta keys

 

device.type=netwitness_alerts, user=bob, ip.src=10.10.10.10, ip.dst=2.2.2.2

 

So now that meta is parsed, and now that meta is also sent to esa

 

Once that data is sent to ESA it sees new meta matching the rule of ip.dst=2.2.2.2

 

It will fire and send a syslog to the decoder and the loop begins

 

In most cases of more complex rules this wouldn't happen, however for the simpler rules this is possible

 

Dave

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.