Use Case related to inactive users
I want to ask regarding the possibility to create use case (to get alert) where we want to track situation where some specific user did not logged into the system (for example on Windows machine) more then 15 days.
Is it possible to be done using Netwitness ESA correlation engine?
- Community Thread
- Forum Thread
- RSA NetWitness Endpoint
- RSA NetWitness Platform
Hi Petar Nikovic,
Please Create a list with users in Reports->List
Create a rule with Where User = <the list created> Run for last 15 days.
Then Will have to compare the results with list to find did not logged in for 15 days.
ESA used only for real-time correlation.
Thank you Sravan,
I will try that.
Is there any possibility in the Netwitness to put results of the rule into one list (where I can define time to live) and later on to create another rule to use those results if needed?
What I want to ask you is there any possibility using one ESA rule to automatically populate a list and later on I can create another rule (or rules) and use the data from that list (which is automatically populated using the first rule) .
Tnx for the quick answer.
One more question: When I populate that Dynamic list with Report can I use ESA rule or Incident rule to use that list (use the results from that list) ?
Can I define time to live period for the values in that Dynamic list?
ESA script outputs + Context Hub Lists sounds like what you're looking for here: