Is there any way to create a report on the ESA alerts generated, and/or the incidents raised?
Like a summary report on the alerts or incidents from RSA SA, along with their status? Like an exportable report, with the name of the alert, incident ID, remediation status included?
It'd be really helpful for tracking and management presentation.
check your RSA live subscription to add the Respond Report to allow you to do this if the report is not added by default
NetWitness Respond
The report displays a summary and detailed view of the incidents and alerts generated using NetWitness Respond.
REFERENCES
On RSA Link, see the NetWitness Respond Configuration and User Guides for details.
VERSIONS SUPPORTED
10.6.2 and higher
CONFIGURATION
You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate.
DEPENDENCIES
* Common Event Format Log Parser
We're on SA 10.6.4.1. The Respond Server is available only Netwitness 11.x onwards.
Anything for 10.6.x, reporting on alerts and incidents?
Details state
VERSIONS SUPPORTED
10.6.2 and higher
Try to deploy it and run on your versions.
Yeah, I know it says that, and I did deploy and even subscribe to it.
But the service doesn't turn up in my Services, nor do I get the option to forward alerts to the Responder Service within my Reporting Engine configuration.
I don't see the service anywhere within my SA platform.
Not sure, why it's been listed as supported. Within Netwitness 11.x, I see there's a complete module dedicated to the Responder. Just don't find it anywhere in 10.6.4.1.
Hi Visham,
These are Reporting Engine Rules and Reports that query the system for alerts and incidents - when you subscribe and deploy these in your environment they will show up in the Reporting Engine:
In 10.6.x these rules query the Incident Management (IM) database, whereas in 11.x they query the Respond database. If you are forwarding your ESA alerts to the IM service, then these will help you report on that activity.
Give these a try, and let us know if you experience any issues with them.
Hi Joshua,
Thanks for that! I can now access the report.
Although, are there other metakeys that can be populated in the report, or just the ones listed by default?
Glad to help.
And unfortunately, the default keys are the only ones that can be populated into the report.
Hi Visham,
These are Reporting Engine Rules and Reports that query the system for alerts and incidents - when you subscribe and deploy these in your environment they will show up in the Reporting Engine:
In 10.6.x these rules query the Incident Management (IM) database, whereas in 11.x they query the Respond database. If you are forwarding your ESA alerts to the IM service, then these will help you report on that activity.
Give these a try, and let us know if you experience any issues with them.