AnsweredAssumed Answered

ESA packet rules with large time windows?

Question asked by Joshua Cole on Sep 3, 2020
Latest reply on Sep 15, 2020 by Joshua Cole

Hello All, I was wondering if anyone could help me use ESA with my packet concentrators to automate my process for investigating teleworkers logging in from different sources within a specific window.


I run a daily report that displays all of the users and their source IPs/source organizations (ISP, VPN, etc). I manually review these reports for users with more than one "org.src" value.


I know this could be easily done with logs and a SEIM, but since all I control is Netwitness packets I'm hoping there is a way to write an ESA rule that could highlight usernames with multiple unique "org.src" values, say in a 6 (or even 24) hour period, or would this overload the ESA?


Edited to add: I'm also asking this because if it's doable, it'll help me better understand creating more detailed ESA rules.