000034563 - How to locate the origin of an alert if the machine name is not listed in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Dec 28, 2016Last modified by RSA Customer Support on May 7, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034563
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: User Interface, Database
RSA Version/Condition: 4.2, 4.1, 4.4.x, 11.3
Platform: Windows

IssueIf you receive an IIOC alert and cannot find the machine name listed in the UI, the alert may be for Floating Code or another type of IIOC.

Sample IIOC alert from SEIM Tool:
Dec 31  15:10:35  LabMachine01  CEF:0|RSA|RSA ECAT||ModuleIOC|EcatAlert|1|agentid=<Unique-alphanumeric_string> shost=LABMACHINE02  src= smac=<Unqine MAC ADDRESSS  fname=[FLOATING CODE] fsize=0 fileHash=0000000000000000000000000000000000000000 instantIOCName=FloatingCode_NetworkAccess.sql instantIOCLevel=1 OPSWATResult=Disabled YARAResult=Clean Bit9Status=unknown moduleScore=1023 machineScore=1023 moduleSignature=Unknown os= < Machine OPS Type> md5sum=00000000000000000000000000000000

ResolutionThere are two methods to locate the missing machine name.

First Method
  1. Log into the RSA NetWitness Endpoint UI.
  2. Select Machines Panel and right-click the column description panel.
    screenshot of machine panel
  3. Right-click Column Chooser and then right-click arrow next to Machine.ECAT.
  4. Check the Agent ID box and then close it.  The Agent ID will now be searchable using various filters in the ECAT UI.

screenshot of colum chooser

Second Method
You can locate the source of the alert by running a query based on the Agent ID.
(The agent ID is a unique combination of alphanumeric characters. The string is only used once for any machines, even if the machine name, IP, mac address changes, the agent ID will remain the same.)

The first step is to log into the ECAT database using SQL Studio Manager.
  1. Select -> New Query -> Drill down box, select the name of the ECAT database.
  2. Type the following query:

    select machineName,MacAddress,agentID from machines where AgentID = '<AGENT ID>'
    (note: replace with actual AgentID found in the alert)

Screenshot from Lab SQL Server:
screenshot of agent query

The above query will display allow you to see what the new machine name is for the client machine.