AnsweredAssumed Answered

(Urgent) RSA NetWitness timeframe rule

Question asked by Haitham AbuHejleh on Apr 12, 2019
Latest reply on Apr 23, 2019 by Haitham AbuHejleh

Like • Show 0 Likes0
Comment • 3

Hi ,

I need urgent help in creating NetWitness rule as below:

1- MS DC users who logged in during a specific time frame (e.g. from 6:00PM-to-6:00AM).
2- MS DC users who upgraded into admin.
3- MS DC users who did brute-force attempts.

Looking forward to hearing from you asap

Haitham

No one else has this question

Outcomes

3 Replies

Haitham AbuHejleh Apr 17, 2019 6:59 AM
Mark Correct
Correct Answer
Hi ,

Any help please?
Like • Show 0 Likes0
Actions
Varun P G Apr 23, 2019 7:54 AM
Mark Correct
Correct Answer
Hi Haitham,

use case 1 :https://community.rsa.com/docs/DOC-53333 (check it would be of any help in NW)
use case 2: Monitor for the event id "4728"
use case 3: Monitor for the event id "4625" for same user name (set the threshold as per company's policy)

Regards,
Varun P G
Like • Show 0 Likes0
Actions
- Haitham AbuHejleh @ Varun P G on Apr 23, 2019 8:10 AM
  Mark Correct
  Correct Answer
  Hi Varun,
  
  I need NetWitness rule not ESA rule.
  
  Thanks,
  Haitham
  
  Haitham AbuHejleh
  SOC Senior Analyst
  
  Tel : 962 6 200 2000 Ext.3147
  E-mail :habuhejleh@umniah.com
  Website : www.umniah.com<http://www.umniah.com/>
  
  <https://www.instagram.com/umniah/>[cid:image236a3d.PNG@07561e8b.45ae050f]<https://web.facebook.com/Umniah/>[cid:imageff8e65.PNG@c6b6ef0c.4a95bc85]<https://www.youtube.com/user/Umniahbelong>[cid:image68a55a.PNG@678d6bc0.45bf859e]<https://twitter.com/Umniah>[cid:image704207.PNG@e0c02302.428c9685]<https://twitter.com/Umniah>[cid:imagee2cfa9.PNG@305fa0d5.4c986d70]<http://www.umniah.com>[cid:image522074.PNG@a4f08f18.49b0896a]<www.umniah.com>[cid:imagefec1aa.PNG@22fcf4ff.4eb90fcb]<https://www.umniah.com/en/content/Umniah-Application-1717>[cid:imageb44a54.PNG@a880d065.49a38944]<https://www.umniah.com/en/content/Umniah-Application-1717>
  <http://www.umniah.com>
  
  Haitham AbuHejleh
  SOC Senior Analyst
  
  Tel : 962 6 200 2000 Ext.3147
  E-mail :habuhejleh@umniah.com
  Website : www.umniah.com<http://www.umniah.com/>
  
  <https://www.instagram.com/umniah/>[cid:image740177.PNG@4eba3f7e.4d850406]<https://web.facebook.com/Umniah/>[cid:imageffe17a.PNG@3adbefed.40b7ac57]<https://www.youtube.com/user/Umniahbelong>[cid:imagec17f4d.PNG@54cb47f5.469da148]<https://twitter.com/Umniah>[cid:image9032d5.PNG@80292c4d.42b18d6a]<https://twitter.com/Umniah>[cid:imaged53dea.PNG@2e264583.4696e94a]<http://www.umniah.com>[cid:image23b504.PNG@a0129bd2.409fb7ab]<www.umniah.com>[cid:image6cf2c2.PNG@9d67f5a8.4c81a09e]<https://www.umniah.com/en/content/Umniah-Application-1717>[cid:image87f72e.PNG@b7a010ac.41bd9240]<https://www.umniah.com/en/content/Umniah-Application-1717>
  
  <http://www.umniah.com>
  Attachments
  - imageff8e65.PNG690 bytes
  - imageb44a54.PNG857 bytes
  - image68a55a.PNG712 bytes
  - imageffe17a.PNG690 bytes
  - image704207.PNG1.7 KB
  - imageb73136.PNG820 bytes
  - image236a3d.PNG555 bytes
  - imagee2cfa9.PNG673 bytes
  - image75730f.PNG4.9 KB
  - image522074.PNG2.0 KB
  - imagefec1aa.PNG744 bytes
  - image3461a1.PNG820 bytes
  - image740177.PNG555 bytes
  - imagec17f4d.PNG712 bytes
  - imaged53dea.PNG673 bytes
  - image9032d5.PNG1.7 KB
  - image6cf2c2.PNG744 bytes
  - image23b504.PNG2.0 KB
  - image87f72e.PNG857 bytes
  - image140972.PNG151 bytes
  - imagef38a79.JPG4.4 KB
  - image5460fd.JPG1.8 KB
  - image94289c.JPG1.9 KB
  - imagea84cee.JPG2.0 KB
  Like • Show 0 Likes0
  Actions

(Urgent) RSA NetWitness timeframe rule

Outcomes

Attachments

Related Content

Recommended Content