Hello All, I was wondering if anyone could help me use ESA with my packet concentrators to automate my process for investigating teleworkers logging in from different sources within a specific window.
I run a daily report that displays all of the users and their source IPs/source organizations (ISP, VPN, etc). I manually review these reports for users with more than one "org.src" value.
I know this could be easily done with logs and a SEIM, but since all I control is Netwitness packets I'm hoping there is a way to write an ESA rule that could highlight usernames with multiple unique "org.src" values, say in a 6 (or even 24) hour period, or would this overload the ESA?
Edited to add: I'm also asking this because if it's doable, it'll help me better understand creating more detailed ESA rules.