Recently RSA NetWitness (NW) added the ability to report on the IMDB component of the platform. Based on some recent questions it seemed useful to create a few template rules and reports that could be used to create a starter pack for reporting on IMDB data.
RSA IMDB reporting syntax
Included at the bottom is the rule and report pack that cover a few scenarios that should get you started reporting on data that you might want to see.
Some things that I have found out during this development.
- in the alerts table the alert.host_summary is visible as an option, but the alert.user_summary is not visible. You can add alert.user_summary to report on that data manually and it works for me (10.6.2.2) - Bug reported for that to fix.
- in the incidents table the 'name' of the incident is not visible as a usable meta value. if you add 'name' manually you can add the incident name to the report. Bug reported for that to fix as well.
S you can create rules that provide data like this for alerts:
Like this for incidents
or pretty close to this
The rules in the included pack