000036102 - How to create a report in only 5 minutes in RSA Security Analytics

Document created by RSA Customer Support Employee on Mar 24, 2018Last modified by RSA Customer Support Employee on Mar 26, 2019
Version 20Show Document
  • View in full screen mode

Article Content

Article Number000036102
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: User Interface, Reporting Engine
RSA Version/Condition: 10.6.x, 10.5.x
Platform: CentOS
IssueThis article show us how to create a report in Netwitness within 5 minute.
It will first show how to create a report engine rule, then use it to create a report template. 
  1. First, create a report engine rule by going to Reports in the RSA Security Analytics UI, clicking the Add (+) button and then selecting NetWitness DB.
    User-added image
  2. Fill in the essential details, for example: 
    User-added image
    This will report on the logs containing people using administrator or root account to login to a system.
    • Select: time, device.ip, device.type, user.dst, ec.theme, ec.outcome, event.cat.name
    • Where: ec.theme = 'authentication'&& (user.dst = 'administrator' || user.dst = 'root') && event.cat.name = 'user.activity.failed logins'
    • Summarize: None
    • Title: My privilege user
  3. Click Save and then Use to make this rule available as a report template.
    User-added image
  4. The Report will now be available to 'Schedule'.
    User-added image
  5. Schedule the report using any relevant information as needed.
    User-added image  
  6. Next, go to Manage > Reports and select the scheduled report (shaded in blue).
    User-added image
  7. The Report Schedule page will appear with Completed reports. Select View report.
    User-added image
  8. Finally, the completed Report page will appear with the specified time range. 
    User-added image