Rule for alert "New device started sending logs to RSA SA"
Need to create an alert under RSA SA if new event source started sending logs to RSA when integrated with RSA for the first time.
Need help on the same.
RSA SA : 10.6.2
Let me know: Do we have any similar alert available in LIVE?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
There are currently no out of the box Live alerts for what you are looking for. We have Health & Wellness alerts for when you stop seeing logs from event sources but not on first seeing an event source. I assume you are looking to know when user's direct new syslog event sources to your collectors.
The only thing I can think of off hand, but can be time consuming, is to create a feed that contains all the syslog event sources that you know you should be capturing. Make this list generate a piece of meta called "known syslog sources". Then run a reporting engine alert looking for syslog messages that do not have "known syslog sources" meta attached to them. This way you would get an alert for a new syslog event source. Once you have discovered it you could up date the feed. If you do run an alert like this you want to make sure to have alert suppression on otherwise you could get a lot of alerts from each new log from that event source as it comes in.
I hope this helps.