000036102 - How to create a report in only 5 minutes in RSA Security Analytics

Document created by RSA Customer Support Employee on Mar 24, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036102
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: User Interface, Reporting Engine
RSA Version/Condition: 10.6.x, 10.5.x
Platform: CentOS
IssueThis article show us how to create a report in Netwitness within 5 minute.
It will first show how to create a report engine rule, then use it to create a report template. 
  1. First, create a report engine rule by going to Reports in the RSA Security Analyics UI, clicking the Add (+) button and then selecting NetWitness DB.
    User-added image
  2. Fill in the essential details, for example:
    • Select: time, device.ip, device.type, user.dst, ec.theme, ec.outcome, event.cat.name
    • Where: ec.theme = 'authentication'&& (user.dst = 'administrator' || user.dst = 'root') && event.cat.name = 'user.activity.failed logins'
    • Summarize: None
    • Title: My privilege user
    For example:
    User-added image
    This will report on the logs containing people using administrator or root account to login to a system
  3. Click Save and then Use to make this rule available as a report template.
    User-added image