This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Use Case related to inactive users

PetarNikovic
Beginner
Beginner

‎2019-11-14 06:20 AM

Hi,

I want to ask regarding the possibility to create use case (to get alert) where we want to track situation where some specific user did not logged into the system (for example on Windows machine) more then 15 days.

 

Is it possible to be done using Netwitness ESA correlation engine?

 

Regards

Labels:
0 Likes
7 REPLIES 7

sravan.koneti
Respected Contributor Respected Contributor
Respected Contributor

‎2019-11-14 06:34 AM

Hi Petar Nikovic‌,

 

Please Create a list with users in Reports->List 

Create a rule with Where User = <the list created> Run for last 15 days.

Then Will have to compare the results with list to find did not logged in for 15 days.

 

ESA used only for real-time correlation.

0 Likes

PetarNikovic
Beginner
Beginner
In response to sravan.koneti

‎2019-11-14 06:47 AM

Thank you Sravan,

I will try that.

 

Is there any possibility in the Netwitness to put results of the rule into one list (where I can define time to live) and later on  to create another rule to use those results if needed?

 

Regards

0 Likes

PetarNikovic
Beginner
Beginner
In response to PetarNikovic

‎2019-11-14 06:52 AM

What I want to ask you is there any possibility using one ESA rule to automatically populate a list and later on I can create another rule (or rules) and use the data from that list (which is automatically populated using the first rule) .

 

Thanks

0 Likes

sravan.koneti
Respected Contributor Respected Contributor
Respected Contributor
In response to PetarNikovic

‎2019-11-14 07:13 AM

Hi Petar Nikovic‌,

I don't see any option to create list from ESA. But, i can create list with with Report using Dynamic list in Schedule of report. https://community.rsa.com/docs/DOC-80596 

0 Likes

PetarNikovic
Beginner
Beginner
In response to sravan.koneti

‎2019-11-14 08:12 AM

Hi Sravan,

Tnx for the quick answer.

One more question: When I populate that Dynamic list with Report can I use ESA rule or Incident rule to use that list (use the results from that list) ?

Can I define time to live period for the values in that Dynamic list?

 

Regards

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to PetarNikovic

‎2019-11-14 12:21 PM

ESA script outputs + Context Hub Lists sounds like what you're looking for here:

https://community.rsa.com/community/products/netwitness/blog/2018/10/09/auto-updating-context-hub-lists-from-esa-alerts


Mr. Mongo

PetarNikovic
Beginner
Beginner
In response to JoshRandall

‎2019-11-14 12:45 PM

I think that is it.

Thank`s a lot guys

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.