- First, create a report engine rule by going to Reports in the RSA Security Analytics UI, clicking the Add (+) button and then selecting NetWitness DB.
- Fill in the essential details, for example:
This will report on the logs containing people using administrator or root account to login to a system.
- Select: time, device.ip, device.type, user.dst, ec.theme, ec.outcome, event.cat.name
- Where: ec.theme = 'authentication'&& (user.dst = 'administrator' || user.dst = 'root') && event.cat.name = 'user.activity.failed logins'
- Summarize: None
- Title: My privilege user
- Click Save and then Use to make this rule available as a report template.
- The Report will now be available to 'Schedule'.
- Schedule the report using any relevant information as needed.
- Next, go to Manage > Reports and select the scheduled report (shaded in blue).
- The Report Schedule page will appear with Completed reports. Select View report.
- Finally, the completed Report page will appear with the specified time range.