I want to create report of all users who is using remote login over http like logmein, gotomypc , teamviewer etc...... And just want know the rule/parameter
maybe triggering the domains?
alias.host = "teamviewer.com", "gotomypc.com", "secure.logmein.com"
for some service there might be user-agent info that you can trigger, e.g., for teamviewer
client contains "dyngate"
Thank you Johannes :-) Nice input
Is there any Parser on Security Analytics which can pull all users who have used "Remote Access" over http.
Please do the needful.
For many use cases there is content in live. For instance, there's an 'alert.id = "access:remote-success"' used by SA report "Successful Remote Access Details". If you have a live subscription try deploying rules and reports related to "remote access". Then do a remote logins with the services that you like to monitor and see how the results are presented in SA.
Only if the rules/parsers/reports from live don't suffice (or if you don't have a subscription), you should start writing your own rules/parsers/reports.
In general you only write parsers if you want to extract metadata that NW doesn't already generate. So for example if clients submit extra information in a special HTTP header or you use a special proxy authentication scheme. Give an example of an HTTP request made by a client and I might show you how to write a parser.
Once you have the metadata (say in "username") you can create an SA report based on a rule like
SELECT ip.src, username WHERE alias.host = logmein.com, gotomypc.com, ...
But again, chances are that live already provides some parts of what you like to achieve.
Thank you Johannes, I got that and created report. The problem with our setup there is no log decoder, however i used the below query and i got the output.
Select ip.src,username,alias.host,ip.dst,service type,time,src country exist,dst country exist
where alias.host contains 'netviewer.com','teamviewer.com','.radmin.com' and etc.....
Thanks for your value inputs....!
Retrieving data ...