AnsweredAssumed Answered

(Urgent) RSA NetWitness timeframe rule

Question asked by Haitham AbuHejleh on Apr 12, 2019
Latest reply on Apr 23, 2019 by Haitham AbuHejleh

Like • Show 0 Likes0
Comment • 3

Hi ,

I need urgent help in creating NetWitness rule as below:

1- MS DC users who logged in during a specific time frame (e.g. from 6:00PM-to-6:00AM).
2- MS DC users who upgraded into admin.
3- MS DC users who did brute-force attempts.

Looking forward to hearing from you asap

Haitham

No one else has this question

Outcomes

3 Replies

Haitham AbuHejleh Apr 17, 2019 6:59 AM
Mark Correct
Correct Answer
Hi ,

Any help please?
Like • Show 0 Likes0
Actions
Varun Govindaraj Apr 23, 2019 7:54 AM
Mark Correct
Correct Answer
Hi Haitham,

use case 1 :https://community.rsa.com/docs/DOC-53333 (check it would be of any help in NW)
use case 2: Monitor for the event id "4728"
use case 3: Monitor for the event id "4625" for same user name (set the threshold as per company's policy)

Regards,
Varun P G
Like • Show 0 Likes0
Actions
- Haitham AbuHejleh @ Varun Govindaraj on Nov 10, 2019 10:21 AM
  Mark Correct
  Correct Answer
  Hi Varun,
  
  I need NetWitness rule not ESA rule.
  
  Thanks,
  Haitham
  Like • Show 0 Likes0
  Actions

(Urgent) RSA NetWitness timeframe rule

Outcomes

Related Content

Recommended Content