Many of you may be using a Pi-hole in your home labs, or even at the
office. The issue is the logs are stored in a local text file and
NetWitness does not support the logs. As many know DNS records are very
useful in threat hunting, so I wanted to br...
Lately I have been using the sftpagent quite a bit for moving log files
to NetWitness. I have been running into the same issue on installs
recently. The issue happens on the first sftpagent agent connection to a
log collector. After installing the ag...
After setting up UEBA You need to make sure you are collecting the
following Event IDs from Hosts as well as Network Events Active
Directory Model -> device.class = 'windows hosts' && reference.id =
'4741','4742','4733','4734','4740','4794','5376','5...
Currently the Log Parser Tool is built for Windows and Mac. Using Wine
4.x you can install and run the Log Parser tool on Linux (Mint and
Ubuntu) To install and run the LPT on linux you need to follow the
following instructions: Install Wine 4.x Down...
There are times when you would like to export data from a log decoder
and then re inject it into a new log decoder. Typically you would do
this through the investigator interface, save the file and then upload
this file into the new log decoder. The ...
I think your issue is the time_batch. I would use time_length_batch.
Also keep in mind that by adding the logon_type=3 you are limiting this
statement to only logins via the network and you are excluding
interactive logins. Hope this helps I recreate...
Jeremy, are you using the new health and wellness dashboards? These are
exceptional at viewing all the statistics around any service. It also
provides historical data as well as trending. This should make it easier
to see what the concentrator is doi...
For whitelisting in ESA you could also create an enrichment feed and
list your white listed elements in there vs an app rule. I would need to
see an example of what you are trying to do, to better assist. You can
reach out to my directly at my first....
