This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

The logic behind the Alert?

Go to solution
RomanZeltser
Beginner
Beginner

‎2017-01-31 04:37 PM

Hi gurus,

As a new guy for RSA NetWitness, I would appreciate few minutes of your time spent to reply if you know the answer.

I have few SQL servers with a single service account (let's call it sql_acct) that must be used for all SQL servers instances. This account must be logged into only from the SQL servers, not from the workstations. How do I build the Alert logic that would alert me if the SQL server was managed from any workstation?   #Alert Logic

0 Likes
14 REPLIES 14

Go to solution
EricPartington
Employee
Employee
In response to RomanZeltser

‎2017-02-02 03:38 PM

what does your list $[SQL Servers] look like ?

what values are in there ? hostnames or IP addresses ?

0 Likes

Go to solution
RomanZeltser
Beginner
Beginner
In response to EricPartington

‎2017-02-02 03:41 PM

 IP addresses only

0 Likes

Go to solution
EricPartington
Employee
Employee
In response to RomanZeltser

‎2017-02-02 03:59 PM

ok two things..

 

you cannot use the $List in investigator, that is only available in the reporting engine.  So the red error above is correct if you are trying to use that in investigator.  To test out your login in Investigator take the list and put them like this...

ip.src!=ip,ip2,ip3,ip4

 

if that returns you results as you expect then you know your logic works.  once you have that sorted out you can the test your reporting logic (i would also check off the box for use relative time calculation in Reporting engine)

0 Likes

Go to solution
RomanZeltser
Beginner
Beginner
In response to EricPartington

‎2017-02-02 04:53 PM

Great. Perhaps, I know that my system is functioning correctly, and this is a simple syntax error.

 

Yes, the sequence of IP Addresses in the Investigate does not generate a syntax error and actually produces the result.

 

However, the reporting module does not do the same even if I replace the SQL List with the sequence of IP addresses (like in the Investigate). The empty page again…

 

I have checked off the box for use relative time calculation and tried last day and two last days with the same result. The test was performed yesterday in the middle of the day, around 1-2 PM.

 

Something else is missing (or excess statement in the query)…

 

===============

Roman Zeltser

Sr. IM Security Analyst

CDR Associates

 

307 International Circle

Suite 300

Hunt Valley, MD 21030

P: 410-560-2269 x.1261

rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>

Preview file
2 KB
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.