2017-01-31 04:37 PM
Hi gurus,
As a new guy for RSA NetWitness, I would appreciate few minutes of your time spent to reply if you know the answer.
I have few SQL servers with a single service account (let's call it sql_acct) that must be used for all SQL servers instances. This account must be logged into only from the SQL servers, not from the workstations. How do I build the Alert logic that would alert me if the SQL server was managed from any workstation? #Alert Logic
2017-02-02 03:38 PM
what does your list $[SQL Servers] look like ?
what values are in there ? hostnames or IP addresses ?
2017-02-02 03:41 PM
IP addresses only
2017-02-02 03:44 PM
2017-02-02 03:59 PM
ok two things..
you cannot use the $List in investigator, that is only available in the reporting engine. So the red error above is correct if you are trying to use that in investigator. To test out your login in Investigator take the list and put them like this...
ip.src!=ip,ip2,ip3,ip4
if that returns you results as you expect then you know your logic works. once you have that sorted out you can the test your reporting logic (i would also check off the box for use relative time calculation in Reporting engine)
2017-02-02 04:53 PM
Great. Perhaps, I know that my system is functioning correctly, and this is a simple syntax error.
Yes, the sequence of IP Addresses in the Investigate does not generate a syntax error and actually produces the result.
However, the reporting module does not do the same even if I replace the SQL List with the sequence of IP addresses (like in the Investigate). The empty page again…
I have checked off the box for use relative time calculation and tried last day and two last days with the same result. The test was performed yesterday in the middle of the day, around 1-2 PM.
Something else is missing (or excess statement in the query)…
===============
Roman Zeltser
Sr. IM Security Analyst
CDR Associates
307 International Circle
Suite 300
Hunt Valley, MD 21030
P: 410-560-2269 x.1261
rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>