NetWitness Community

MaximMarchenko · 2022-01-24

Hello. First of all, I've read this article and tried to do such thing, but no luck. Logs are from MongoDB Community event source. Log example: "Jan 24 16:30:10 mongodb-linux-test-1 MONGODB-AUDIT: {"t":{"$date":"2022-01-24T16:30:01.081+06:00"},"s":"I...

MaximMarchenko · 2021-10-01

Hello everybody. Need your help with ESA Rule(EPL). So, what I want: the rule must generate alerts if there are minimum 5 failed logins(bad password) from Same Source during 120 seconds. After reading all documentation that I've managed to get, I've ...

MaximMarchenko · 2021-07-26

Can't create ODBC with mysql(8.0.25) RSANW(11.6.0.0) - no support for MySQL Community via ODBC. The error is: NwLogCollector[16282]: [OdbcCollection] [failure] An error occurred creating an ODBC connection for DSN: TEST_HA The trapped error is: Unabl...

MaximMarchenko · 2021-07-07

Hello. We get JSON/LEEF from ESES ERA(7.x). I've tried to parse JSON event using Config - Log Parser Rules. I've created new parser and clean JSON parses well, but the problem is that logs we get are partially text and then JSON. Thats's why it can't...

MaximMarchenko · 2021-07-07

Hello. Can't create ODBC with mysql(8.0.25) RSANW(11.6.0.0) The error is: NwLogCollector[16282]: [OdbcCollection] [failure] An error occurred creating an ODBC connection for DSN: TEST_HA The trapped error is: Unable to create an ODBC connection. DSN:...

MaximMarchenko · 2022-01-25

From my own exploration there is no way to do this: LogonType 2/7/10 of domain computers are stored locally on these computres. By enabling policy, you've mentioned you will be able only get Kerberos events(like "ticket was granted", etc), which is p...

MaximMarchenko · 2022-01-25

If you see thant ip.dst/host.dst is your DC - Logon type 2 from DC means somebody login to your DC directly, imho.

MaximMarchenko · 2022-01-25

I've managed to find the error by myself: ... ... These name must be the same: ... ... The result is: I get all my metas, described in . So somebody in RSA must fix this article . Also in sections: type="CollectionTime" /> meta="alias.host" />...

MaximMarchenko · 2022-01-24

Hello. Actually, DC does'nt gather logon/logoff events of your workstations: 4624/4625/4647 & Logon Types 2(interactive logon/7(unblock)/10(remote logon). You can find these events Only on your Workstations. So if you want to collect such events, you...

MaximMarchenko · 2021-11-11

Thank yor for answer. I think your issue is the time_batch. I would use time_length_batch. According to my logic, I need exactly time_batch, because I want to collect All events for 2 minutes. If I wrong, please, explain me what is my mistake? Also k...

NetWitness Community

User Statistics

User Activity

Need help to parse JSON log

ESA Rule - Grouping Alerts

RSA NetWitness doesn't support MySQL Community

How to parse JSON events with clear text near JSON?

Can't create ODBC with mysql(8.0.25) RSANW(11.6.0.0)

Re: Reports for user activity (login and log-off) on Windows

Re: Reports for user activity (login and log-off) on Windows

Re: Need help to parse JSON log

Re: Reports for user activity (login and log-off) on Windows

Re: ESA Rule - Grouping Alerts