Using Informer Reports as a Searchable Intel Database
Informer does not have the ability to search through its past reports. Those reports exist and are stored locally on the IIS server- under wwwroot, nwreporterweb, results- but it is not in a searchable format. So if you are looking for something specific- say a known malicious IP address and you wanted to know if it was listed on a prior report, you have to click through each day's reports and hope you get lucky. This is not a workable way to find something.
I recently joined a group that has a year's worth of past reports sitting on their Informer system, and I know there is some good intelligence stored in those reports. How could I get those old reports indexed and searchable?
IIS used to be able to add a local directory to an indexing service, but Microsoft doesn't really support that in IIS 7. I spent a couple of days trying to cobble together a generic search application for ASP.net, and had mixed results. I also crippled our Informer box a couple of times playing with permissions. Not wanting to compromise the Informer application, I tried a different tack.
Microsoft Outlook has an outstanding search and indexing capability built-in. So I grabbed all of the html reports under the results folder on the Informer box and dropped them into a local folder in my Outlook client.
Presto! I now had a searchable threat database built from a year's-worth of Informer reports.
Now that I have a searchable archive, I have made sure to subscribe by email to all of the new Informer Report results. A rule in Outlook will make sure that each new report from the Informer will find its way into my indexed Outlook folder for easy searching.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
It's a 2-step process, sort of! First step is only done once and is system-wide.
First you need to configure your SMTP server for delivery under "Admin"->"System Settings"->"Delivery Settings" or an admin will have to do that for you if you don't have the right privileges.
Then for each report, in the report definition page of that report, there's an "Evenlope" like icon for the delivery settings of that report. There you can just select the checkbox and enter the e-mail addresses you want the report delivered to.
One caveat to the process above will be the fact that the reports will be send as an attachment (PDF or CSV) and not as inline so your search functionality won't be as efficient. 😞
Hope that helps!
Well that wouldnt work for me.
First, our Systems Admin for the SMTP server wouldnt make any changes for this.
Second, I was hoping to have this in html as it shows in this topic.
I will have to think of some other way to automate this, it if thats even possible so we can search these old reports if needed.
Maybe I can come up with a script or something that will copy these to my drive or set up an automated email to send me these files... just some thoughts to automate if I can.
Thanks for the response.
(And for the benefit of other readers)
Just a quick clarification, the SMTP Admins will not need to be involved in most cases, I meant the Admnistrator of your Informer device/service.
As to the rest, your ideas are probably as good as mine! Do remember there is an IIS server running on that box, if that helps. 😉