Informer does not have the ability to search through its past reports. Those reports exist and are stored locally on the IIS server- under wwwroot, nwreporterweb, results- but it is not in a searchable format. So if you are looking for something specific- say a known malicious IP address and you wanted to know if it was listed on a prior report, you have to click through each day's reports and hope you get lucky. This is not a workable way to find something.
I recently joined a group that has a year's worth of past reports sitting on their Informer system, and I know there is some good intelligence stored in those reports. How could I get those old reports indexed and searchable?
IIS used to be able to add a local directory to an indexing service, but Microsoft doesn't really support that in IIS 7. I spent a couple of days trying to cobble together a generic search application for ASP.net, and had mixed results. I also crippled our Informer box a couple of times playing with permissions. Not wanting to compromise the Informer application, I tried a different tack.
Microsoft Outlook has an outstanding search and indexing capability built-in. So I grabbed all of the html reports under the results folder on the Informer box and dropped them into a local folder in my Outlook client.
Presto! I now had a searchable threat database built from a year's-worth of Informer reports.
Now that I have a searchable archive, I have made sure to subscribe by email to all of the new Informer Report results. A rule in Outlook will make sure that each new report from the Informer will find its way into my indexed Outlook folder for easy searching.
Hi Fielder,
How did you subscribe by email to the new reports in Informer?
We just went live with Netwitness recently so I am not familiar with all the options just yet.
Thanks,
Joe