ESA alerts Report
I am trying to create a report containing the alerts generated by the ESA rules for some range of time (e.g last 5 days).
The idea is to generate a report with the alert informations shown on the picture below (Severity, Alert Name, Count, etc).
Could anybody help me with this?
Thanks in advance.
- alert summary
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
The only resolution for your ask that i'm aware of is to setup syslog notification for EACH and every alert and point to your syslog receiver on the alerts within the ESA, check the output notifications for syslog. Then take that reingestion and create a report from that information.
The IMDB is for connecting to Envision databases not for connecting to the ESA database to create reports. I know there was mention that 10.6.2 allows the creation of reports from ESA's Summary page but as of 10.6.2.2 you still cannot create reports directly from the Summary page data. The only way to do reports is to feed the alerts back into the Log Decoder, via syslog as the alerts happen, and use the Reporting Engine against the normal Netwitness Services (Concentrator/Broker).
There is a plan though for future versions to create reports off of ESA alerts though? The big use case would be creating reports of the domains detected through the context hub's/ESA's automated C&C detection process.
I'm pretty sure you can report off both the ESA( Alert) and the IM (incident) tables in 10.6.2.2.
IPDB is the envision database
currently the query that you could use to get prett close to that summary image in ESA (alert summary) is the following
select alert.name, alert.severity,count(alert.numEvents)
where alert.name exists
select your order by column
some things to note:
- the timestamp shown in the UI reflects your UTC offset, the report does not (it shows UTC times)
- the severity is a string in the alert summary, it is a integer in the report
- for some reason your count column needs to be at the end of the select string or you get a weird error about string offset -1
- including the last event time seems to mess up the counts as it creates a line item for each unique timestamp (you cant have two aggregates in the same statement either)