Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000034563 - How to locate the origin of an alert if the machine name is not listed in RSA NetWitness Endpoint

Document created by RSA Customer Support

on Dec 28, 2016•Last modified by RSA Customer Support on May 7, 2019

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000034563
Applies To	RSA Product Set: NetWitness Endpoint RSA Product/Service Type: User Interface, Database RSA Version/Condition: 4.2, 4.1, 4.4.x, 11.3 Platform: Windows
Issue	If you receive an IIOC alert and cannot find the machine name listed in the UI, the alert may be for Floating Code or another type of IIOC. Sample IIOC alert from SEIM Tool: Dec 31 15:10:35 LabMachine01 CEF:0\|RSA\|RSA ECAT\|4.1.1.1\|ModuleIOC\|EcatAlert\|1\|agentid=<Unique-alphanumeric_string> shost=LABMACHINE02 src=1.2.3.4 smac=<Unqine MAC ADDRESSS fname=[FLOATING CODE] fsize=0 fileHash=0000000000000000000000000000000000000000 instantIOCName=FloatingCode_NetworkAccess.sql instantIOCLevel=1 OPSWATResult=Disabled YARAResult=Clean Bit9Status=unknown moduleScore=1023 machineScore=1023 moduleSignature=Unknown os= < Machine OPS Type> md5sum=00000000000000000000000000000000
Resolution	There are two methods to locate the missing machine name. First Method Log into the RSA NetWitness Endpoint UI. Select Machines Panel and right-click the column description panel. Right-click Column Chooser and then right-click arrow next to Machine.ECAT. Check the Agent ID box and then close it. The Agent ID will now be searchable using various filters in the ECAT UI. Second Method You can locate the source of the alert by running a query based on the Agent ID. (The agent ID is a unique combination of alphanumeric characters. The string is only used once for any machines, even if the machine name, IP, mac address changes, the agent ID will remain the same.) The first step is to log into the ECAT database using SQL Studio Manager. Select -> New Query -> Drill down box, select the name of the ECAT database. Type the following query: select machineName,MacAddress,agentID from machines where AgentID = '<AGENT ID>' (note: replace with actual AgentID found in the alert) Screenshot from Lab SQL Server: The above query will display allow you to see what the new machine name is for the client machine.

Attachments

Outcomes

0 Comments

Recommended Content