This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RSAAdmin
Beginner
Beginner
‎2014-12-14 06:20 AM

Custom Dashboards

I’m trying to create custom dashboard for Business staff. Has anyone come across these scenarios?

  1. Any template for business specific dashboards
  2. Replacing output value of a query with a custom value. ( for example if the ip is in 10.1.0.0/16 range, replace the ip value with “HQ building”
  3. For pie charts is it possible to limit the values to a minimum (e.g. ‘5’) in dashboard
  4. How to replicate the changes made in dashboard across all other users who have access to the same.
  5. Can the option “regex” in rules can be tweaked to map an IP to a building, staff ID to a user etc. (I tried but it’s not giving the expected results)
  6. Geo-map location, does this require internet access to google maps from SA box or the connection is made locally from the PC which it is run

 

Just started using Security Analytics and I'm trying to get more insight into reporting part.

RSA Security Analytics for Logs 10.4.0.2

 

Thanks

0 Likes
Reply
4 Replies
ChristopherAhea
Employee
Employee
‎2014-12-14 11:58 AM

A.  No templates that I am familiar with, but if you have ideas about what you would like in there, and we have meta for it, then it should be relatively straight forward.

 

B.  I typically use Feeds to map IP ranges to business specific data.

 

C.  I believe it is only a maximum setting...not a minimum.

 

D.  Each user is specific at this time, but you can export the Dashboard and import it for each user.  Agreed, this is something we can probably do a better job with moving forward and I will request this be added.

 

E.  See feed option

 

F.  Geo-Location is actually done with the geo-ip related dat files in /etc/netwitness/ng directory.

 

I am attaching a feed example.  It works best with packets.  For logs, you would use 2 feeds with meta callbacks for ip.src and ip.dst respectively.

network 2.zip
Reply
RSAAdmin
Beginner
Beginner
In response to ChristopherAhea
‎2014-12-16 02:44 AM

Thanks, That was really helpful.

 

I have a query regarding feeds. If we input a list of IPs and their corresponding locations, will that be used for all IP fields like ip.src, ip.dst, ip.addr across all device types?

0 Likes
Reply
ChristopherAhea
Employee
Employee
In response to RSAAdmin
‎2014-12-16 06:22 AM

No. Just ip.src or ip.dst. However, you can create a feed using just about any meta key. You would use a meta callback in those cases where it wasn't ip.src or ip.dst.

 

So, the csv might look the same but the xml might look at ip.addr instead.

 

Chris

 

Sent from my iPhone

Reply
RSAAdmin
Beginner
Beginner
‎2014-12-21 05:29 AM

Is it possible to embed a map showing attack geolocations in dashboard ?

 

Also i'm aware about Geolocation lookup under investigation tab, however the google earth plugin is not working. tried in 3 different PCs (Windows/Apple)

 

Do anyone have a screenshot of geolocation map, just wnat to see how it looks like so that i can decide if its worth to proceed

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.