Harden the Admin Account
The STIG Hardening Guide in the NetWitness Suite Documentation on RSA Link (https://community.rsa.com/docs/DOC-64211) has this information.
Audit Log Messages
It can be useful to see which user actions result in which log message types in the /var/log/messages file.
The event categories spreadsheet included in the log parser package in the NetWitness Suite Parser v2.0.zip archive lists the event categories and the event parser lines to help with building reports, alerts, and queries.
NwConsole for Health & Wellness
RSA has added a command option called logParse in NwConsole. This command option supports log parsing, a convenient way to check log parser without setting up the full system to do log parse. For more information about the logParse command, at the command line, type help logParse.
Thick Client Error: remote content device entry not found
Error: “The remote content device entry was not found,” generated for a correlation rule applied to a concentrator.
Problem: in Investigation, if you click the
correlation-rule-name meta value in the Alert meta key, you do not get session information.
Solution: Instead of using correlation rules on decoders and concentrators, use ESA rules. The ESA rules do record the correlation sessions that match the ESA rule.
View Example Parsers
Since flex and lua parsers are encrypted when they are delivered by Live, you cannot easily view their contents.
However, some plain text examples are available here: https://community.emc.com/docs/DOC-41108.
Configure WinRM Event Sources
The following Inside EMC article has a video that walks through the process of setting up Windows RM (Remote Management) collection: https://inside.emc.com/docs/DOC-122732.
Additionally, it contains two scripts that are shortcuts for procedures described in the "Windows Event Source Configuration Guide."