(Urgent) RSA NetWitness timeframe rule
I need urgent help in creating NetWitness rule as below:
1- MS DC users who logged in during a specific time frame (e.g. from 6:00PM-to-6:00AM).
2- MS DC users who upgraded into admin.
3- MS DC users who did brute-force attempts.
Looking forward to hearing from you asap
use case 1 :https://community.rsa.com/docs/DOC-53333 (check it would be of any help in NW)
use case 2: Monitor for the event id "4728"
use case 3: Monitor for the event id "4625" for same user name (set the threshold as per company's policy)
Varun P G