AnsweredAssumed Answered

First event of each event source

Question asked by Maximiliano Cittadini on Dec 28, 2017
Latest reply on Jan 2, 2018 by Maximiliano Cittadini

Like • Show 0 Likes0
Comment • 2

I have a customer running NW for Log and he needs to know the date and time of the first event saw in the platform for each event source... How can I achieve that?

Thanks in advance

Max

No one else has this question

Outcomes

2 Replies

roberto fasciani Jan 2, 2018 5:32 AM
Mark Correct
Correct Answer
Hello Max,
you should use a report with:

Rule Type: NetWitness DB
Name: First event of each event source
Summarize: Custom
Select: event.source, first(time)
Where: event.source exists
Group by: event.source

Ciao Roberto

PS:
not all events have event.source metadata, If you are interested in all the events saw in the platform, you should use device.ip or device.host instead of event.source
Like • Show 0 Likes0
Actions
- Maximiliano Cittadini @ roberto fasciani on Jan 2, 2018 8:24 AM
  Mark Correct
  Correct Answer
  Ciao Roberto, thank you so much for your response. I going to try it and I will let you know the results.
  Regards,
  Max
  Like • Show 0 Likes0
  Actions

First event of each event source

Outcomes

Related Content

Recommended Content