This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

(Urgent) RSA NetWitness timeframe rule

HaithamAbuHejle
Beginner
Beginner

‎2019-04-12 01:56 PM

Hi ,

 

I need urgent help in creating NetWitness rule as below:

1- MS DC users who logged in during a specific time frame (e.g. from 6:00PM-to-6:00AM).
2- MS DC users who upgraded into admin.
3- MS DC users who did brute-force attempts.

 

Looking forward to hearing from you asap

 

Haitham

0 Likes
3 REPLIES 3

HaithamAbuHejle
Beginner
Beginner

‎2019-04-17 06:59 AM

Hi , 

 

Any help please?

0 Likes

VarunGovindaraj
Contributor
Contributor

‎2019-04-23 07:54 AM

Hi Haitham,

 

use case 1 :https://community.rsa.com/docs/DOC-53333 (check it would be of any help in NW)

use case 2: Monitor for the event id "4728"

use case 3: Monitor for the event id "4625" for same user name (set the threshold as per company's policy)

 

Regards,

Varun P G

0 Likes

HaithamAbuHejle
Beginner
Beginner
In response to VarunGovindaraj

‎2019-04-23 08:10 AM

Hi Varun,

 

I need NetWitness rule not ESA rule.

 

Thanks,

Haitham

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.