I'd be interested to hear how other people approach taking online threat
reports that have detection rules for other products like Splunk and
apply them to NetWitness. There is a lot of content for other tooling
but not a lot for Netwitness so I'd li...
I have an ESA rule that generates an email notification when meta is
generated in the 'alert' meta key. I want to put able to use part of the
meta information in the alert to customise the email subject header so
there is more context in it. Is this ...
I have configured the esa alert below to trigger when our Palo Alto
Firewalls detect a network scan attempt. The issue is, if say I run a
nmap scan, the Palo Alto will generate at least 4 events which results
in 4 emails being sent. I'd prefer to onl...
There is no engagement from NetWitness, it's just customers asking
questions with no responses or the only response is "We logged a support
case". How does that help with the broader community.
How do I create a log parser for log files that are in JSON format? All
the resources I've seen and the Log Parser Tool seem to only deal with
syslog style logs where the whole message is on a single line however
the event source I need a parser for ...
Hi @JohnKisner I think you figured it out. by adding the suggested
syntax ${events[0].alert[0]} seems to work. I tested the notification
and the alert meta is now being displayed in the subject line. Thanks
for your help
Thanks @JohnKisner that seems to work for most meta keys, but for some
reason if I use ${events[0].alert} in one particular email notifcation
as the part of the subject line, it stops all email notification for
that alert. it's weird, it's the only k...
Thanks @EduCarbonell , this is what I was hoping to learn, exactly what
I was looking for. @JohnKisner Thanks, I'll certainly look into the
limiting of emails for other alerts, in this case the use of the esa
alert was what I hoping for.
"Recently" has been well over 2 years since NetWitness has transitioned,
and I've had the same discussion for years and I get the same response
'we are working towards a better outcome' and I just dont see it. All
the questions that have been 'answer...
