Pedro Queiros

Incidents "GroupBy" clause

Discussion created by Pedro Queiros on Apr 6, 2018

Hello all,

 

We're currently using version 11.1 of RSA NW and in the Incidents rule we have a new aggregation value that's handy: "Destination User Account".

 

In the past, we've been having problems creating incidents and aggregating them by username, e.g., for Brute Force Logins From Same Source. The previous aggregation value was "Source Username", but in the alerts, the username was stored in the "user_dst", so no aggregation was made.

 

Now, we've changed the aggregation value for "Destination User Account" and incidents, apparently, are being created accordingly. The problem is that the ${groupByValue1} is not displaying the username involved in the failed login attempts.

 

Is anyone having similar problems?

 

Also, can someone point me in the direction of creating custom aggregation values? I know that we can probably do this in the /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json file, but I'm having trouble finding documentation for the values that are acceptable in the "value" and "groupByField" fields.

 

Kind Regards,

Pedro Queirós

Outcomes