I’m trying to create custom dashboard for Business staff. Has anyone come across these scenarios?
- Any template for business specific dashboards
- Replacing output value of a query with a custom value. ( for example if the ip is in 10.1.0.0/16 range, replace the ip value with “HQ building”
- For pie charts is it possible to limit the values to a minimum (e.g. ‘5’) in dashboard
- How to replicate the changes made in dashboard across all other users who have access to the same.
- Can the option “regex” in rules can be tweaked to map an IP to a building, staff ID to a user etc. (I tried but it’s not giving the expected results)
- Geo-map location, does this require internet access to google maps from SA box or the connection is made locally from the PC which it is run
Just started using Security Analytics and I'm trying to get more insight into reporting part.
RSA Security Analytics for Logs 10.4.0.2
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
A. No templates that I am familiar with, but if you have ideas about what you would like in there, and we have meta for it, then it should be relatively straight forward.
B. I typically use Feeds to map IP ranges to business specific data.
C. I believe it is only a maximum setting...not a minimum.
D. Each user is specific at this time, but you can export the Dashboard and import it for each user. Agreed, this is something we can probably do a better job with moving forward and I will request this be added.
E. See feed option
F. Geo-Location is actually done with the geo-ip related dat files in /etc/netwitness/ng directory.
I am attaching a feed example. It works best with packets. For logs, you would use 2 feeds with meta callbacks for ip.src and ip.dst respectively.
Thanks, That was really helpful.
I have a query regarding feeds. If we input a list of IPs and their corresponding locations, will that be used for all IP fields like ip.src, ip.dst, ip.addr across all device types?
No. Just ip.src or ip.dst. However, you can create a feed using just about any meta key. You would use a meta callback in those cases where it wasn't ip.src or ip.dst.
So, the csv might look the same but the xml might look at ip.addr instead.
Sent from my iPhone
Is it possible to embed a map showing attack geolocations in dashboard ?
Also i'm aware about Geolocation lookup under investigation tab, however the google earth plugin is not working. tried in 3 different PCs (Windows/Apple)
Do anyone have a screenshot of geolocation map, just wnat to see how it looks like so that i can decide if its worth to proceed