on Oct 16, 2018Hi,
Is there an option in netwitness to add data on specific IPs/users that show up in the logs, and add them to some sort of database, that way we can have brief information on specific IP, and not needing to resort to external lists.
Example:
The FW reported communication from 10.1.0.154 to a known botnet IP.
If we have the information regarding 10.1.0.154 in the system we can immediately inform the person/department whos workstation it is, or if no data is present, after investigating, adding it for future reference.
Well, NW is realy need normal asset database interconected with all other services (ESA/RE/Respond) but seems like they still don't have it... anyway, you can try to find workaround and use what they have...
- If you need Assets information easyly accessable in RE/ESA there is not much choice but using custom feeds to enrich parsed logs with new metadata
- for your example i would probably use context hub, although it will require a lot of effort... and i finding it a bit glitchy and you cant use it anywhere else but in investigation (if there is nothing new in the last version)