Hi all,
I am trying to create a report containing the alerts generated by the ESA rules for some range of time (e.g last 5 days).
The idea is to generate a report with the alert informations shown on the picture below (Severity, Alert Name, Count, etc).
Could anybody help me with this?
Thanks in advance.
What Joe explained is currently only option you have right now.
10.6.2 should include option to create report on ESA (queries ESA).
Thanks,
Miha
Miha,
Do you know release date for 10.6.2 ? My customers are also asking for this feature.
Is this built into 10.6.2.0? Can you point me to a link?
I think I found what I was looking for here RSA Security Analytics Reporting Guide starting on pg 114.
There must be some config issue where the reports app is not able to access the IMDB.
Thank you Joe and Miha.
I understood. I will try the Joe's resolution until the 10.6.2 release comes out.
Thank you very much.
John,
The IMDB is for connecting to Envision databases not for connecting to the ESA database to create reports. I know there was mention that 10.6.2 allows the creation of reports from ESA's Summary page but as of 10.6.2.2 you still cannot create reports directly from the Summary page data. The only way to do reports is to feed the alerts back into the Log Decoder, via syslog as the alerts happen, and use the Reporting Engine against the normal Netwitness Services (Concentrator/Broker).
There is a plan though for future versions to create reports off of ESA alerts though? The big use case would be creating reports of the domains detected through the context hub's/ESA's automated C&C detection process.
I'm pretty sure you can report off both the ESA( Alert) and the IM (incident) tables in 10.6.2.2.
IPDB is the envision database
currently the query that you could use to get prett close to that summary image in ESA (alert summary) is the following
summarize: custom
from: alert
select alert.name, alert.severity,count(alert.numEvents)
where alert.name exists
select your order by column
some things to note:
Thanks Eric, very cool and helpful! So the use case I am doing, is levering an ESA rule that is pretty much building a list anytime powershell.exe is run (not sure if this covers it while run in memory with say powerpick or something). I simply wanted to create a report of the user/service account/machines that are evoking powershell for validation purposes.
There may be a better way, but this is allowing me to get some practical exp. on these app. interconnections.
I have used the IMDB as data source on the Reporting Engine, but that only retrieve the "columns" of the alert or incident... there is any way to retrieve the related events of the alert?
Dear All,
I am trying to use the suggested method to use IMDB as a data source to export report for the alerts. However, it doesn't allow me to choose the option "from". I see that meta section keeps loading. Am I missing out something?
Thanks,
Utsav Sejpal
Nothing appears in the "From:" dropdown menu?
Have you added Incident Management as a Data Source in your Reporting Engine configuration?
My meta section loads once I select either alert or incident in the dropdown.
Hi Eric,
As per your instruction I was trying to create the same report via "NetWitness" Rules type, when I am creating the report then no any "from: alert" field is coming , I have left this and taken all remaining field. when I am testing this report getting message as below.
Error occurred while fetching data from source 'SA - Broker[127.0.0.1]'. Error details : Error occurred while fetching data from devices connected to 'SA - Broker[127.0.0.1]' . Please check logs for more details. |
Kindly Help me for same.
Thanks
Your rule type needs to be IMDB (Incident Management Database), not NWDB (NetWitness Database).
The only resolution for your ask that i'm aware of is to setup syslog notification for EACH and every alert and point to your syslog receiver on the alerts within the ESA, check the output notifications for syslog. Then take that reingestion and create a report from that information.