AnsweredAssumed Answered

Search for "login" from IP Address?

Question asked by RSA Admin Employee on Nov 27, 2012
Latest reply on Dec 7, 2012 by RSA Admin

All,

 

I am currently analyzing emails with NetWitness, one indicator I typically see used in spear phishing incidents is the use of logging in with a different IP than the sending mail server. I am noticing this behavior mostly with yahoo. Is there a way in NetWitness to create a search to pull up all network related sessions in this way? I am not seeing this as a searchable piece of meta data. I created a regex to try to search with no luck.

 

Thanks

Outcomes