RSA Admin

Using Informer Reports as a Searchable Intel Database

Discussion created by RSA Admin Employee on Nov 9, 2012
Latest reply on Mar 1, 2013 by RSA Admin

Informer does not have the ability to search through its past reports.  Those reports exist and are stored locally on the IIS server- under wwwroot, nwreporterweb, results-  but it is not in a searchable format.  So if you are looking for something specific- say a known malicious IP address and you wanted to know if it was listed on a prior report, you have to click through each day's reports and hope you get lucky.  This is not a workable way to find something.

 

49923

 

I recently joined a group that has a year's worth of past reports sitting on their Informer system, and I know there is some good intelligence stored in those reports.  How could I get those old reports indexed and searchable? 

 

IIS used to be able to add a local directory to an indexing service, but Microsoft doesn't really support that in IIS 7.  I spent a couple of days trying to cobble together a generic search application for ASP.net, and had mixed results.  I also crippled our Informer box a couple of times playing with permissions.  Not wanting to compromise the Informer application, I tried a different tack.

 

Microsoft Outlook has an outstanding search and indexing capability built-in.  So I grabbed all of the html reports under the results folder on the Informer box and dropped them into a local folder in my Outlook client. 

 

49924

 

Presto!  I now had a searchable threat database built from a year's-worth of Informer reports.

 

49925

 

Now that I have a searchable archive, I have made sure to subscribe by email to all of the new Informer Report results.  A rule in Outlook will make sure that each new report from the Informer will find its way into my indexed Outlook folder for easy searching.

Outcomes