Maybe a feature to reset the ECAT IIOC rules will be good, tried to play with the rules, seems mess up.
Also reset function for all the data if possible.
What you guys thought?
I do not believe a reset button exists. The database is SQL and should be easy to backup and revert to older data sets.
I suppose you could clear the IOC (e.g. dbo.IOCQuery) related tables in the DB and import the default out of the box data into the relevant tables.
To get the default schemes/data, install endpoint DB separately and extract the default data you wish to insert.
You can also delete the IOC rules using the GUI by right clicking the rule on the InstantIOCs view and selecting 'Delete'.
For Netwitness logs/packets, there is reset function, how endpoint, maybe can come out a function also. When deploying in enterprise, not so easy to restore DB.
Another question is, for the Risk Score, can we control it? So if we reset the DB, what happen to the risk score?
Retrieving data ...